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Notations 


R[x] 
Z{x] 
Zq\x] 

|x| 

N (xo, 1) 
[a] 

{a} 

La] 

f 

A, 1) 
E(é) 
Var (&) 
Pr{A} 
U(G) 
P(x) 
poly(n) 
L=L(B) 
L(B)* 
F(B) 
Ai(L) 
p(L) 
ne(L) 
a|x) 

x:y 
A®B 
€(n) f 
g(n) = O(f(n)) 


n dimensional Euclidean space 

Integer points in R” 

Residue class ring mod q 

Complex field 

Polynomial ring of one variable on R 
Polynomial ring of one variable on Z 
Polynomial ring of one variable on Z, 

ly norm of vector x 

Sphere with center xo and radius r in R” 

The largest integer no more than real number a 
The fractional part of real number a 

The nearest integer to real number a 

Fourier transform of function f 

Statistical distance of random variable € and 7 
Expectation of random variable & 

Variance of random variable é 

Probability of random event A 

Uniform distribution on G 


Cumulative distribution of standard normal distribution 


Polynomial function of n 
Lattice L with generated matrix B 


Dual lattice of L with generated matrix (B’)~! 


Basic neighborhood of lattice with generated matrix B 


Minimal distance of lattice L 
Covering radius of lattice L 
Smoothing parameter of lattice L 
Product of real number a and vector x 
Inner product of vector x and y 
Kronecker product of matrix A and B 
Negligible function of n 


g(n) = O(f (n)loglog| f()|) 


Chapter 1 ®) 
Random Lattice Theory ra 


x] J1 
Let IR” be the Euclidean space of dimensionn,x = | : |,y =| : | aretwo vectors 
Xn Yn 
of R”, the inner product of x and y is defined as 
Xo y =x t+ x.y. +--+ Xnyn =X". (1.0.1) 


The Euclidean norm |x| of vector x (also called the /, norm) is defined as 
[x] = (a2 4x2 +---422)2 = Jaen. (1.0.2) 


Let B = (bij)nxn € R"*” be an invertible square matrix of order n, a full-rank 
lattice L in R” is defined as 


L = L(B) = {Bx |x € Z"}. (1.0.3) 


A lattice L is a discrete geometry in R”, in other words, there is a positive constant 
A, =A,(L) > 0 anda vector a € L satisfying a ~ 0, such that 
la] = min |x| =A, (ZL). (1.0.4) 
xeEL,xA~0 
A, is called the shortest distance in L, a is the shortest vector in L. A sphere in n 
dimensional Euclidean space R” with center xo and radius r is defined as 


N(xo,r) = {x € R" | |x —x0| <r}, x0 € R". (1.0.5) 
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In particular, N (0, 7) represents a sphere with origin as the center of the circle and 
radius r. The discretization of a lattice is equivalent to the fact that the intersection 
of L with any sphere N (xo, r) is a finite set, i.e. 


*(L A N(x0,r)} < 00. (1.0.6) 


Let L = L(B) bealattice, B is the generated matrix of L. Block B by each column 
vector as B = [B), Bo, ..., B,], the basic neighborhood F(B) of L is defined as 


F(B) = {)_ x:6) |O< x; < 1}. (1.0.7) 


i=1 


Clearly the basic neighborhood F(B) is related to the generated matrix B of L, 
which is actually a set of representative elements of the additive quotient group 
R"/L. F*(B) is also a set of representative elements of the quotient group R”/L, 
where 


‘ 1 1 
F*(B)= iBi| —> <x < Zh, 
(B) oD xiBi| — 5 <% <5) 
therefore, F*(B) can also be a basic neighborhood of the lattice L. The following 
property is easy to prove [see Lemma 2.6 in Chap. 7 in Zheng (2022)] 


Vol(F(B)) = |det(B)| = det(L). (1.0.8) 


That is, the volume of the basic neighborhood of L is an invariant and does not 
change with the choice of the generated matrix B. We denote det(L) = |det(B)| as 
the determinant of the lattice L. 

The basic properties of lattice can be found in Chap. 7 of Zheng (2022). The main 
purpose of this chapter is to establish the random theory of lattice. If a lattice L is the 
space of values of a random variable (or random vector), it is called a random lattice. 
Random lattice is a new research topic in lattice theory, and the works of Micciancio 
and Regev (2004), Regev (2004), Micciancio and Regev (2004), Micciancio and 
Regev (2009) are pioneering. In this way, the study of random lattice is no more 
than ten years. For technical reasons, only a special class of random lattices can be 
defined and studied. That is, consider a random variable € defined in R” from a Gauss 
distribution, and limit the discretization of € to L so that L becomes a random lattice. 
Itis a special kind of random lattice, which we call the Gauss lattice. The main purpose 
of this chapter is to introduce Gauss lattice, define the smoothing parameter on Gauss 
lattice and calculate the statistical distance based on the smoothing parameter. The 
mathematical technique used in this chapter is high dimensional Fourier transform. 
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1.1. Fourier Transform 


A complex function f(x) on R” is a mapping of R” — C, where C is the complex 
field. We define the function space L!(R) and L?(R): 


LiRQ)={f:R">C| [irooiax < oo} (1.1.1) 
R" 


and 
L’(R)={f:R">C| [ircorax < oo}. (1.1.2) 
R" 


If f(x), g(x) € L'(R"), define the convolution of f with g as 
feacy= f fo Heeae. (1.1.3) 
R 


We have the following properties about convolution. 


Lemma 1.1.1 Suppose f(x), g(x) € L'(R"), then 
(i) f * g(x) =g* f(x). 
(ii) £ ft * g(x)dx = J f(x)dx - J g(x)dx. 

R" R" 


R 


Proof By the definition of convolution (1.1.3), we have 


g* f(x)= ic — &) f(E)dE = [sore — y)dy = f * g(x). 
R" 


R" 


Property (i) holds. To obtain the second result (ii), we have 


[ fescoar= fof f(x — &)g(&)d& dx 


R Re Re 
Z / / Fv)e(E)dydé = i foay- i eld. 
Re Re Re R 


The lemma is proved. 
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Definition 1.1.1 If f(x) € L'(R"), define the Fourier transform of f (x) as 


f(x) = f ree tae, x eR". (1.1.4) 
R" 


Note that f > f is an operator of the function space defined on L!(R"), which is 
called the Fourier operator. If f(x) = fi (™1) fo(x2)--- fn(%), then the high dimen- 
sional Fourier operator can be reduced to the product of one dimensional Fourier 
operators, i.e. 


f@) = M2, AG. (1.1.5) 


The following are some of the most common and fundamental properties of Fourier 
transform. 


Lemma 1.1.2 Suppose f(x) € L'(R"), g(x) € L'(R"), then 

(i) f * g(x) = f(*)8(x). 

(ii) a € R" is a given vector, denote tq f as the coordinate translation function, i.e. 
Ta f (x) = f(x +a), Vx € R". Then we have T, f (x) = errixa Fy), 

(iii) Let h(x) = e"4 f(x), thus h(x) = f (x —a). 

(iv) Let 8 £0 be he real number, fs(x) = f (4x), then fs(x) = |8|" fg (x) = 
5|" f (6x). 

(v) Let A be an invertible real matrix of order n, namely A € GL, (R), define f o 
A(x) = f(Ax). Then f 0 A(x) a |A|-! fio (A-)})? (x) = (Al f (A478), where 
A! is the transpose matrix of A. 


Proof By definition, we have 


f* g(x) = i; f* ge dé 


R 


= [of @ —»eonayre Fae. 
R" R" 
Taking variable substitution € — y = y’, thené = y + y’, anddé = dy’, so we have 


f* g(x) = / g(yje "dy - if f(ye2™"'dy! = FX) 8), 


R" R" 
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property (i) is proved. Based on the definition of Fourier transform, we have 


TPO) = f FE +ae™tag = f oye **o-ay 


R" R" 
= e2tixa / fe?" dy = etre P(x). 
R" 
property (ii) gets proved. Similarly, we can obtain (iii). Next, we give the proof of 


(iv). Since 6 4 0, and fs(x) = f (Gx), so 


A 1 ; ix 
fa(x) = / fsbo dé = / f (ye |5\"dy 


R" R" 
= / Ff (ye [5/"dy = [8]" f(x). 
R" 
By the condition A € GL, (R), f o A(x) = f(Ax), then 
FoA(x) = / f(Age2"™ ae, 
R" 
Taking variable substitution, y = A€, then A~!y = &, and dé = |A|~'dy, so 


fo A(x) = i; f (ye 24 Ally _ jal / flyje2AY dy 
Rt R" 


=|A\1 f(A) Tx) = Al fo (ATX). 


Lemma 1.1.2 is proved. 


Finally, we give some examples of the Fourier transform. 


Example 1.1 Letn = 1,a € R, a > 0, define the characteristic function 1,~¢,4(x) 
of the closed interval [—a, a] as 


1, xX E [—a, a], 


L[-a,a}() = to Be ¢ [—a, a]. 


Then . 
A sin 271 ax 
L[-a,a\(x) = ————. (1.1.6) 


TUX 
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Forn > 1, leta = (aj, a2, ...,d,) € R", the square [—a, a] is defined as 

[—a, a] = [—a), a] x [—ap, ag] X +++ & [—ay, ay]. 
Define the characteristic function 1;~«,q\(x) of the square [—a, a], then 


* n sin 2wa;x; 
1{~a,ay (x) = IT;_, ————.. (1.1.7) 
UX; 


Proof For the general n, it is clear that 
Lpa,ay (4) = Ty Lpea;,a;1 0). 
Based on Eq. (1.1.5), we only need to prove Eq. (1.1.6). = 1, a € R, so 


, , — 1 

1p-a,ay(X) = i, lanes de = femtag = — sin2max. 

TX 
R —a 


Example 1.2 Let f(x) = e-7"", x € R", then f(x) € L'(R"), and f(x) = f(x), 
namely f(x) is a fixed point of Fourier operator, which is also called a dual function. 


Proof Clearly, f(x) € L'(R"). To prove the fixed point property of f(x), by defi- 
nition 


f(x) = porn = is meal = ak 
R" R" R" 
By one dimensional Poisson integral, 


+00 


/ eo" dy = 1, (1.1.8) 


—0o 


we have the following high dimensional Poisson integral, 


fewray =1. (1.1.9) 


R" 


So we get f(x) = f(x). 
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1.2 Discrete Gauss Measure 


From the property of f(x) = e~** under the Fourier operator introduced in the last 
section, and high dimensional Poisson integral formula (1.1.9), we can generalize 
J (x) as the density function of a random variable from the normal Gauss distribution 
to a general Gauss distribution in R”. We first discuss the Gauss function on R”. 


Definition 1.2.1 Let s > 0 be a given positive real number, c € R” is a vector. The 
Gauss function p;,-(x) centered on c with parameter s is defined as 


psx) =e HPO" y ERY (1.2.1) 


and : 
AO=po), p= ase". (1.2.2) 


From the definition we have 


: 
=n/£P 


1 
Ps (x) = p(—x) =e 
Ss 


and 
s(x) = Ps (x1) tee Ps (Xn). 


It can be obtained from Poisson integral formula (1.1.9) 
i ps(x)dx = i; Ps.c(x)dx = 8”. (1.2.3) 
R" R" 
Lemma 1.2.1 The Fourier transform of Gauss functions p,(x) and ~,..(x) are 
L027 mnaarer" (1.2.4) 


and 
Ds.c(X) = gre Gig): (1.2.5) 


Proof By property (iv) of Lemma 1.1.2 and s > 0, we have 
ps (X) = 8" pijs(X) = 8" A(sx) = s"p(sx). 


The last equation follows from Example 2 in the previous section, therefore, (1.2.4) 
holds. By the property (ii) of Lemma 1.1.2, we have 


PQ) =t 2 =2 3a rer pd). 


Lemma 1.2.1 is proved. 
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Lemma 1.2.2 p;.-(x) is uniformly continuous in R", i.e. for any € > 0, there is 
5 = 5(€), when |x — y| < 6 for x € R", y € R", we have 


|Ps,c(X) — pscly)| <€. 


Proof By definition, 0 < ps.-(x) < 1, hence ps,-(x) is uniformly bounded in R”, we 
will prove Py. ¢(X) is also uniformly bounded in R”. We only prove the case of c = 0. 


Since p,(x) = p;(x|) = +--+ = Ps(X,), without loss of generality, letn = 1, t € R, 
then : 
, UT _ny 
p(t) = ete 2 
When |t| > M, it is clear 
ese 1 
EP 


Hence, when |t| > M, we have 


| ‘wl< 20 es 20 
Pa cs s2|t| ~ s2M° 


For |t| < M, By the continuity of p, (t) we have O: (t) is bounded. This gives the 
proof that Dy. ¢(X) is uniformly continuous in R”. Let | Py, e(X)| < Mo, Vx € R". By 
the differential mean value theorem, we have 


[Ps.c() — Psc(¥) = Py cE) lx — yl < Molx — yl. 


Let 6 = ig then 
[Psc(X) — Ps cL <e, if lx—yl <6. 


We finish the proof of the lemma. 


Definition 1.2.2 For s > 0, c € R", define the continuous Gauss density function 
Ds (x) as 


1 
Dy ¢(X) = gn Pac)» Vx € R’. (1.2.6) 


The definition gives that 


1 
[ Peto = =f c(x)dx =1. 
s” : 
R" 


R" 


Thus, a continuous Gauss density function D,.(x) corresponds to a continuous 
random vector of from Gauss distribution in IR”, and this correspondence is one-to- 
one. 
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Definition 1.2.3. Suppose f(x) : R’ > C is an n-elements function, A C R” is a 
finite or countable set in R”, define f(A) as 


1A] Fm), (1.2.7) 


xeA 


The continuous Gauss density function D, . (x) is also called the continuous Gauss 
measure. In order to implement the transformation from continuous measure to dis- 
crete measure and define random variables on discrete geometry in R”, the following 
lemma is an important theoretical support. 


Lemma 1.2.3 Let L C R" be a full-rank lattice, then 


D;hy= > Dil) < 00: 


xeL 
Proof From definition, 
1 1 = igs ge? 
Dec(L) = = ) Pc) = Dee 
xeL xeL 


By the property of the exponential function e’, there exists a constant My > 0, when 
|x —c| > Mo, 


oe ee (1.2.8) 
Thus, we can divide the points on the lattice L into two sets. Let 
A; =LN {x € R" | |x —cl < Mo} =LAN(c, Mo). 


and 
Az = LN {x € R" | |x —c| > Mo}. 


From (1.0.6) we have 


> eee < > 1=* A, < oo. 


XEA, XEA| 
Based on (1.2.8), 


> en alte? ere <0. (1.2.9) 
vEAQ 
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Since Az is a countable set, the right hand side of the above inequality is clearly a 
convergent series. Combining the above two estimations, we have D, -(L) < 00, the 
lemma is proved. 


To give a clearer explanation of (1.2.9), we provide another proof of Lemma 1.2.3. 
First we prove the following lemma. 


Lemma 1.2.4 Let A € R"*” be an invertible square matrix of ordern, T = A’ A 
is a positive definite real symmetric matrix. Let 5 be the smallest eigenvalue of T, 5* 
is the biggest eigenvalue of T, we have 0 < 6 < 6*, and 

V8 < |Axlres < V8", (1.2.10) 
where S = {x € R” | |x| = 1} is the unit sphere in R". 
Proof Since T is a positive definite real symmetric matrix, so all eigenvalues 
61, 62,..., 6, Of T are positive, and there is an orthogonal matrix P such that 


P'T P = diag{5y, 52, ..., dp}. 


Hence, 
|Ax|? =x?Tx =x! P(P'TP)P' x. 


Since P’T P isa diagonal matrix, we have 


6|P7 x|* < |Ax|? < 8*|P?x/?. 


If x € S, then |P’x| = |x| = 1, so we have V8 < |Ax| < V8*. 


By Lemma 1.2.4, and S is a compact set, |Ax| is a continuous function on S, so 
|Ax| can achieve the maximum value on S$. This maximum value is defined as || A||, 


||Al] = max{|Ax| | [x] = 1}. (1.2.11) 
We call || A|| for the matrix norm of A, and Lemma 1.2.4 shows that 
V5 < |All < V8*, VA € GL, (R). (1.2.12) 


Another proof of Lemma 1.2.3: Let L = L(B) be any full-rank lattice, B is the 
generated matrix of L. By definition we have 


1 a 2 1 1 . 
D A= > Dn r. yee = = 2 eee? 42713) 


xeL xeL xeZ" 
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From Lemma 1.2.4, 


[Bo 'x| 
|x| 


<|[BO'| => [Bo'x| < |]Bo'l| [x], Va eR". 
Let x = By, 5* is the biggest eigenvalue of (B~')’ B~!, we have 


7 1 ims n 
ly < [B~"|| [By| > |By| > ——_ly| > lyl/V8*, Vy eR". (1.2.14) 
[|Bo"|| 


The property of the exponential function implies that, 


2n 


5 Ss 
ee De 
~ — 02 
xeEZ",|Bx—c|>M xeZ",|Bx—c| £0 m"|Bx —c|?” 
Since 
|Bx — el” = |B(x = B-'e)|* = |x are, Bo'c/?"/(6*)". 
Denote x = (X1,.-.,4n), Bo'¢ = (ui, ..-, Un), then 
n 
p= Be = Sau > nf ay aD = wa 
i=1 
By (1.2.15), 


2n 1 


2nrs*\n 
Ss so" 
m"|Bx —c|?” mn” = TT? (x; — uj)? 


xeZ" ,|Bx—c|A0 xeZ" ,|Bx—c|40 


_ 2" (8*)" 1 3 1 3 1 
mn" eZ (x1 im uy)* xmeZ (x2 7 uz)? x,€Z (Xn =~ Un)? 


every infinite series on the right hand side of the above equation converges, hence, 
Ds,c(L) < 00. 
By Lemma 1.2.3, we define the discrete Gauss density function Dz 5-(x) as 


Del) fee) 


ET Dy yD) 


(1.2.16) 


Trivially, we have 


Y Desc = 1, 


xeL 
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So Dz.s.-(x) corresponds to a random variable from Gauss distribution defined 
on the lattice L (discrete geometry) with parameters s and c. 


Definition 1.2.4 Let L = L(B) C R” be a lattice with full rank, s > 0 is a given 
positive real number, c € R” is a given vector, define the discrete Gauss measure 
function gzs,-(x) as a function defined on the basic neighborhood F(B) of L, 


2 1 
81,s,0(%) = Dse(X) = | > Psc(e + y), x € F(B). (1.2.17) 


yeL 


By Definition and (1.2.3), it is clear that 


1 1 
/ gise(tdx = — Jo / Pselt + y)dx = — / peo(x)dx = 1. (1.2.18) 
S S 


F(B) yeL (py R" 


Thus, the density function g;, -(x) defined on the basic neighborhood F'(B) corre- 
sponds to a continuous random variable on F(B), denoted as D, -modL. 


Lemma 1.2.5 The random variable D,.modL is actually defined in the additive 
quotient group R"/L. 


Proof F(B) is aset of representative elements of the additive quotient group R”/L, 
and we only prove that for any set of representative elements of R”/L, the discrete 
Gauss function gz.5,-(x) remains constant, then D,. mod L can be regarded as 
a random variable on the additive quotient group R"/L. Actually, if x1, x2 € R’, 
xX, = x2 (mod L), we have gz5.¢(X1) = 8L,s,c(X2). To obtain the result, by definition 


n 
yeLl 


_ 1 
81,5,c(X1) = Ds(%1) = ” DY psc + y). 
Since x; = x2 + yo, where yo € L, so 


1 1 
8z,5,c(X1) = a > Ps,c(X4 + y) = st > Ps,c(X2 a Yo =P y) 


yeL yeL 


1 = 
= sn > Ps,c(X2 oF y) = Ds ¢(X2) = 8L,s,c(X2). 


yeL 


By x; = x2 (mod L), then x; = x2 are the same additive cosets in the quotient 
group R”/L. Thus, the discrete Gauss measure gy s,-(x) can be defined on any basic 
neighborhood of L, and the corresponding random variable D, . mod L is actually 
defined on the quotient group R"/L. 
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1.3. Smoothing Parameter 


For a given full-rank lattice L C R”, in the previous section we defined the dis- 
crete Gauss measure gz.s,-(x), and the corresponding continuous random variable 
Dys,- mod L on the basic neighborhood F(B) of L. In this section, we discuss an 
important parameter on Gauss lattice—the smoothing parameter. The concept of 
smooth parameters was introduced by Micciancio and Regev in 2007 Micciancio 
and Regev (2004). For a given vector x € R”, we have the following lemma. 


Lemma 1.3.1 For a given lattice L C R", we have 


Jim DP pis) = 1 


xeL 


or equally 


Jim D7 pis) = 0. 
xEL\{0} 


Proof By the property of the exponential function, when |x| > Mo (Mo is a positive 
constant) then 
—as?|x/? 2 1 


e ‘ 
~~ rs? |x|? 


So 


Swe err <= ers — > ae 


xeL xeL |x|<Mo,xeEL |x|>Mo,xeL 


The first part of the equation above only has a finite number of terms, so 


lim 5 ee? — 7, 
SSO 


|x|<Mo,xeEL 


The second part of the above equation is a convergent series, therefore, 


1 1 
lim — — = 0. 
lima 2. ip 


Here, we get the proof. 


By Definition 1.2.3, we have pj/;(L) = a P1/s(x), then p1,/;(L) is a monotone 
xeL 
decreasing function of s. When s + 00, p1/;(L) monotonically decreasing to 1. So 


we give the definition of smoothing parameter. 


14 1 Random Lattice Theory 


Definition 1.3.1 Let L C R" be a lattice with full rank, L* is the dual lattice of L, 
define the smoothing parameter n,(L) of L: For any € > 0, define 


ne(L) = min{s | s > 0, pr/s(L*) < 1 +6}. (1.3.1) 


Equally, 
ne(L) = min{s | s > 0, pi/s(L*\{0}) < €}. (1.3.2) 


By definition, the smoothing parameter 7, (L) of L is amonotone decreasing function 
of €, namely 
Ne (L) < Ne (L), if0< «2 <1. 


Definition 1.3.2 Let A C R" be a finite or countable set, X and Y are two discrete 
random variables on A, the statistical distance between X and Y is defined as 


A(X, Y) = 5 LPrx =a} - Pr{Y =a}l. (1.3.3) 


acA 


If A is a continuous region in R”, X and Y are continuous random variables on A, 
T, (x) and 7>(x) are the density functions of X and Y, respectively, then the statistical 
distance between X and Y is defined as 


1 
A(X, Y) = Al \T; (x) — Th(x)|dx. (1.3.4) 
A 


It can be proved that for any function f defined on A, we have 
A(f(X), f(Y)) < A(X, Y). 


From (1.2.17) in the last section, D,. mod L is a continuous random variable 
defined on the basic neighborhood F(B) of the lattice L with the density function 
8L.s.c(x). Let U(F(B)) be a uniform random variable defined on F(B) with the 
density function d(x) = ae The main result of this section is that the statistical 
distance between D, . mod L and the uniform distribution U(F (B)) can be arbitrar- 
ily small. 


Theorem 1.1 Foranys > 0, givena lattice with full rank L = L(B) C R", L* is the 
dual lattice of L, then the statistical distance between the discrete Gauss distribution 
and the uniform distribution on the basic neighborhood F(B) satisfies 


1 
A(D,,- mod L, U(F(B))) < 5 Prjs(L"\{0)). (1.3.5) 


Particularly, for any € > 0, and any s > <(L), we have 
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1 
A(D;,< mod L, U(F(B))) < se. (1.3.6) 


To prove Theorem 1.1, we first introduce the following lemma. 


Lemma 1.3.2 Suppose f (x) € L'(R") and satisfies the following two conditions: 
(i) >* | f(& + u)| uniformly converges in any bounded closed region of R" (about 


xeL 
u); 7 
(ii) >> | f (y)| converges. Then 


yeL* 
1 . 
d SO= as » fo), 


where L = L(B) C R" isa full-rank lattice, L* is the dual lattice, det(L) = \det(B)| 
is the determinant of the lattice L. 


Proof We first consider the case of B = I,, here L = Z", L* = Z”. By condition 
(i), let F(u) be 
Flu)=)) f(e+u), weR". 


xeZ" 


Since F(u) is a periodic function of the lattice Z”, namely F(u + x) = F(u), for 
Vx € Z", we have the following Fourier expansion 


F(u) = ~ a(yeniny, (1.3.7) 


yeZ" 


Integrating F(uje?7""* for u € [0, 1]”: 


F(uje "du = > a(yjer""O-M dy = a(x), Vx EZ". 
(0.1]" yeZ"q iy 
Hence, we have the following Fourier inversion formula: 


a(y) = / Fajete= So] ferme Oda 
[0,1])" xeZ"g yy 


=) / f@e dz = / fle des FO): 


xeZ" sf." R 
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From the above equation and (1.3.7), 


Fu)= )) fen. 


yeZ" 


Take u = 0, we have 


FO =) > f@) = >> fo), 


xeZ" yez" 


the lemma is proved for L = Z". For the general case L = L(B), since L* = 


L((B7!)), then 
Yo f@) = YO (Bx) = VE (F 0 BY), 


xeL xeZn xeZ" 


where f o B(x) = f(Bx). Replace f(x) with f o B, then f o B still satisfies the 
conditions of this lemma, so 


S> fo Bx) = )> fo BY). 


xeZr yezr 


From the definition of Fourier transform, 


Fo By) = / f (Bre? at, 


Take variable substitution t = B~!x, then 


>. Dp —2niy-Bo!x 
FoBO) = aoe f tore reas 
R" 


can | fRijer"e a YX dx 


R" 


aa )| 


Bo 
= amie yy). 


Above all, 


Yo f@ =o foBO)= aaa BO) ie aac 210 


xeL yez" ez" 


We finish the proof of this lemma. 
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The proof of Theorem 1.1 The density function of the continuous random variable 
Ds,- mod L defined on the basic neighborhood F(B) of L is gz.5,-(x), from Eq. 
(1.2.17) and Lemma 1.3.2, we have 


1 1 
Bisel) = =) Pscl®+Y) = | Y | Psex(). 


yeL yeL 


By (1.2.5), the Fourier transform of (5 ¢—x(y) 18 


P= e OO pie): 


Combining with Lemma 1.3.2, we obtain 


Sigal = » erty —0) py 1, (y). (1.3.8) 


aa 


The density function of the uniformly distributed random variable U(F(B)) on F(B) 


is rae based on the definition of statistical distance, 


1 1 
A(Dg,. mod L, U(F(B))) = 5 / Steele) = det) 


F(B) 
1 1 2miy-(x—c) 

9.) laa >. BrP pu Gide 
F(B) yeL*,y#0 


1 
< = Vol(F(B))det(L* eee 
5 ol (F (B))det( oe! Pijs)I 


3 prjs(y) = sual \(0}). 


 cL\t0 


So (1.3.5) in Theorem 1.1 is proved. From the definition of smoothing parameter 
ne(L), when s > n-(L), we have 


prjs(L*\{0}) < €. 


Therefore, if s > n_-(L), we have 


_ 


A(D,.¢ mod L, U(F(B))) < =e. 


N 


Thus, Theorem |.1 is proved. 
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Another application of Lemma 1.3.2 is to prove the following inequality. 


Lemma 1.3.3 Let a > 1 be a given positive real number, then 


ye —2|x/? <a ven, (1.3.9) 


xeL xeL 


Proof By Definition 1.2.1, the left hand side of the sum in the above inequality can 
be written as | 
pyatx) = et", s = Va. 


Since (s(x) satisfies the conditions of Lemma 1.3.2, we have 


Ys ps(x) = det(L") D5 s(x) = det(L*) ¥ 8" prjs(x). 


xeL xeL* xeL* 


Obviously ,(x) is a monotone increasing function of s, take s = ./a > 1, then 


do pyale) = aFdet(L*) YT pa (x) <atde(L*) )? p(x) 


xeL xeL* xeL* 


=qi roe — gi yee, 


xeL xeL 


We complete the proof of Lemma 1.3.3. 


Let N = N(O, 1) be the unit sphere in R”, namely 
N = {x ER" | |x| < Lh. 


Lemma 1.3.4 Suppose L C R" is a lattice with full rank, c > a is a positive real 
number, C = cV2me- e-*, v € R", then 


p(L\cVnN) < C"p(L), and p((L + v)\cVnN) < 2C"p(L). 


That is, 


- ent? ae ee (1.3.10) 


xeL,xd¢c./nN xeL 


> ent? <2C" a eo? | 


xeLtu,xdo/nN xeL 
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Proof We will prove the first inequality, ler ¢ be a positive real number, 0 < t < 1, 


then 
dremel = Seto. goalel 


xeL xeL 


2 al al2 ead 
> y etl t)|x| nie |x| 


xeL,|x|/?>c2n 


> et-nern > ent 


xeEL,|x|?2>c2n 


In Lemma 1.3.3, take a = 4, then a > 1, we get 


= 2 —n 7” 2. 
y e mt|x| <t 5 » e |x| . 


xeL xeL 


Hence, 


= 2 er ee _ 2 2 n -|2 
y e |x| <e m(1—t)c "S e mt|x| x e m(1—t)c neo 3 » e 1 |x| ; 


xeL,|x|2?>c2n xeL xeL 


It implies that 
1 Asn 
p(L\cVnN) < (t7-2e°79-9 7" o(L). 


Let t = si then 


wc? 


p(L\cVnN) < (c- V20e-e*)" p(L), 


The second inequality can be proved in the same way. Lemma 1.3.4 holds. 


Based on the above inequality, we can give an upper bound estimation of the 
smoothing parameter on lattice, which is a very important result about the smoothing 
parameter. 


Theorem 1.2 For any n dimensional full-rank lattice L C R", we have 


no-(L) < J/n/A4(L*). (1.3.11) 


where i, (L*) is the minimal distance of the dual lattice L* (see (1.0.4)). 


Proof Take c = 1 in Lemma 1.3.4, we first prove 


(1.3.12) 
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If we take the logarithm of both sides, then 
log(3277) + 1 < 27. 
Since we have the following inequality, 
log(327) + 1 < log128+ 1 «< 27. 
So (1.3.12) holds. By Lemma 1.3.4, we have 
p(L*\/nN) < C"p(L*) = C"(p(L*\V/nN) + p(L* N VnN)). 


From the both sides, we get 


n 


Set? n./nN). 


p(L*\/nN) < ; 


If s > J/n/d,(L*), for all x € L*\{0}, 
|sx| > -A,(L*) > Jn > sL*N.J/nN = {0}. 
Hence, 
pijs(L*) = p(sL*) = 1+ p(sL*\VnN) 


n 


Cc 
<I1I+ joo n./nN) 


Take € = 2~", then 
mo-n(L) < JSn/Ai (L*). 


Theorem 1.2 is obtained. 


According to the proof of Theorem 1.2, we can further improve the upper bound 
estimation of the smoothing parameter. 


Corollary 1.3.1 Let 


1 log2z 1 
r= + + log(1 +2”). («< 0.82) (1.3.13) 
20 20 ni 
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Then for any full-rank lattice L C R", we obtain 


No-n(L) < r/n/A(L*). 


: 1 

Proof Take c > r in Lemma 1.3.4, then c > Te and 
ae Ct 

C=c:V2me-e™ > <a 


1 
<=. 
Qn 


By Lemma 1.3.4, for any full-rank lattice L C R”, we have 


n 


p(L*\c/nN) < ; 


If s > c./n/a,(L*), for any x € L*\{0}, 
|sx| > SA, (L*) > c/n. 


Hence, 
sL* NVcJ/nN = {0}. 


Therefore, 
prjs(L*) = p(sL*) = 1+ p(L*\cJ/nN) < 1+ 
Finally we have (let c > r) 


no-n(L) < rJ/n/d4(L*). 


Corollary 1.3.1 is proved. 


C 
en PL" Nc /nN). 


n 


Cc 


i=o 


21 


(1.3.14) 


(1.3.15) 


1 
Qn . 


Corollary 1.3.2 For any n dimensional full-rank lattice L C R", we have 


4 
na-n(L) < zVn/ai(L*). 


Proof Take c = 3 in Lemma 1.3.4, then c > Te and 
ao Oe 
ie Mle en 


1 
<=. 
Qn 


Lemma 1.3.4 implies that for any full-rank lattice L C R”, we have 


n 


piL\eVAN) < 


p(L* NcJ/nN). 


(1.3.16) 
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If s > c/n/a,(L*), for any x € L*\{0}, 
|sx| > sd, (L*) > c/n. 


Hence, 
sL* NV cJ/nN = {0}. 


We get 


Ce 1 
which implies that 


4 
no-n(L) < eV n/da(L"). 


Corollary 1.3.2 is proved. 


In the following, we give another classical upper bound estimation for the smooth- 
ing parameter. For any n dimensional full-rank lattice L C R”, we have introduced 
the definition of minimal distance 4; (L) on lattice, which can actually be generalized 
to the general case. For 1 <i <n, 

Ai(L) = min{r | dim(Z 1 rN(0, 1)) = i}. (1.3.17) 
A; (L) is also called the i-th continuous minimal distance of lattice L. To give an 


upper bound estimation of the smoothing parameter, we first prove the following 
lemma. 


Lemma 1.3.5 For any n dimensional full-rank lattice L, s > 0, c € R", then 


Ps,c(L) < ps(L). (1.3.18) 


Proof According to Lemma 1.3.2, we have 
Ps.c(L) = det(L*) 6s,-(L*) 


= det(L*) }> psc(y) 


yeL* 


= teil?) ) ep) 


yeL* 


< det(L*) } > A.(y) = p,(L), 


yeL* 
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where we have used , ¢(y) = e~27'° A, (y), the lemma gets proved. 


Theorem 1.3. For any n dimensional full-rank lattice L, € > 0, we have 


ne(L) < yf men +119), (L), (1.3.19) 


where 4,(L) is the N-th continuous minimal distance of the lattice L defined by 


(1.3.17). 
_ pene 1) ig 


Proof Let 

we need to prove ~1,;(L*\{0}) < €. From the definition of 1,,(L), there are n linearly 
independent vectors vj, v2,..., U, in L satisfying |v;| < A,(L), and for any positive 
integer k > 1, we have v;/k ¢ L, 1 <i <n. The main idea of the proof is to take a 
segregation of L*, for any integer /, let 


S.j=eeL*|x-y= fc, 


for any y € L*\{O}, there is v; that satisfies y - v; 4 0 (otherwise we have y = 0), 
which implies y ¢ S;,o, i.e. y € L*\S;.9, so we have 


L*\{0} = U?(L*\S;0). (1.3.20) 
To estimate 1/;(L*\S;,9), we need some preparations. Let uj = v;/|v; 7, then |u;| = 
1/|uj| > 1/An(L). Vj € Z, Vx € Si,;, 
“2 2 
: ; ; ; J J 
(x — juj)- ju; = jx uj — Puy uj; = — - — = 
v;| |v; | 
Therefore, 
|x|? = |x — jus + [ju 
So ae 
Pi/s (Si) = >» eon 
xe Si, j 
— ects Liu? > ents lx juil? 
xES; 3 
= e714!” oy 16 (S;,; — fui). (1.3.21) 


Since the inner product of any vector in S;,; — ju; with v; is 0, then S$; ; — ju; 
is actually a translation of S;, namely there is a vector w satisfying S;; — ju; = 
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Sio — w.In fact, for any x; € S;,;,x0 € Sio,w = xo — x; + ju; satisfies the equality 
Si,j — jui = Si, — w. By Lemma 1.3.5, we have 


Pi/s(Si,j — Jui) = Prys(Si0 — W) = P1/s,w(Si,0) < P1/s(Si,0)- (1.3.22) 
Combine (1.3.21) with (1.3.22), 
Prijs (Si,j) < en 71H? oy 16 (S;.0) < eH S/n LYI? 4 1, (Sj,0). 


When x > 1, it follows that 


Dee aa “oy = — 


j#0 j>0 


Next, we will estimate p1,,(L*\Sj,0), 


Piys(L*\ Sio) = y P1ys (Si, j) 


770 
= 232 
< ee EOE pagel 8:6) 
770 
< ai 1 [Piss (Si,0) 


2 
= caGatby? Pus") = P1/s(L*\S;,0)). 


So we get 


Prys(L*). 


2 
* 
pys(L\Si0) S Sop] 


From (1.3.20), 


n 


prjs(L*\{0}) < > prjs(L*\Si,0) < 


i=1 


2n L* 
Ghat q 1 Push). 


Together with p1/,(L*) = 1 + piys(L*\{0}), we have 


2n 2n 
erGInD? +1—2n ~ ekC/aD? — In 


pijs(L*\(0}) < é. 
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In the last equality, we have used that 


a nos YO) 5, 


Based on the definition of the smoothing parameter, 


ne(L) < | ment 1), 


Theorem 1.3 is proved. 


At the end of this section, we present an inequality for the minimal distance on 
lattice, which will be used in the next chapter when we prove that the LWE problem 
is polynomial equivalent with the hard problems on lattice. 


Lemma 1.3.6 For any n dimensional lattice L, € > 0, we have 


Ini/e 1 In 1/e A, (LZ) 
ne(L) >, / - Mey 7 V = a (1.3.23) 


Proof Let v € L* and |v| = A, (L*), s = n-(L), from the definition of smoothing 
parameter, we have 


2452 * 
eé= P1js(L*\{0}) > pis (v) — ermal’) 


[Inl/e 1 
SS . 
TU 41 (L*) 


That is, the first inequality in this lemma holds. For the second inequality, Theorem 
2.1 in Banaszczyk (1993) implies that 


Hence, 


1<Ai(L*)A,(L) <7, (1.3.24) 


so we immediately get the second inequality. The lemma holds. 


1.4 Some Properties of Discrete Gauss Distribution 


In this section we introduce some properties about the discrete Gauss distribution. 
First we give the definition of the expectation of discrete Gauss distribution. 
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Definition 1.4.1 Let m, n be two positive integers, L C IR” be ann dimensional full- 
rank lattice,c € R”,s > 0,€ is arandom variable from the discrete Gauss distribution 
Dz.5.c, and f : R” > R” is a given function, we denote 


E[§1= > xDr,s,c(x) (1.4.1) 


€é=xeL 


as the expectation of &, and denote 


ELfFEI= DY) F@)Dis,c(x) (1.4.2) 


€é=xeL 
as the expectation of f(&). 


Lemma 1.4.1 For any n dimensional full-rank lattice, L C R", c, u € R", |u| = 1, 
O0<e <1,s > 2n.(L), & is a random variable from the discrete Gauss distribution 


DL.s.c, then we have 
és 


BI =e) <ul 
= € 


(1.4.3) 


and 
es 


2 
|EL(E — c)-u)"] — =| < (1.4.4) 


l—«€ 


Proof Let L'= L/s = {* |x € L}, c’ = c/s, &' is a random variable from the dis- 
crete Gauss distribution Dz,,.., for any x € L’, we have 


Pe (x) = Ps,c(SX) 
Pc! (L') Ps,c(L) 


PE =z) = = Pr{é=sx}. 


That is, Pr{= = x} = Pr{é’ = x}, Vx € L’, therefore, 


E(€ —c)-u]= EC —c’)-u] = sE[(é’—c’)-u], 


the inequality (1.4.3) is equivalent to 


€ 


|E[(é’—c') -u]| < (1.4.5) 


l-e 
Similarly, the inequality (1.4.4) is equivalent to 


€ 


1 
JEL’ — ce!) -u)?] - =< (1.4.6) 


l-e 


So we only need to prove the two inequalities for s = 1. Denote & as arandom variable 
from the discrete Gauss distribution D; ., the condition s > 27,(L) in Lemma 1.4.1 
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becomes 7-(L) < 5. We prove that the two inequalities (1.4.5) and (1.4.6) hold if 
u = (1,0,..., 0) firstly. For any positive integer /, let 


gj(x) = (x1 — c1) p¢(x), 
where x = (x1, x2, ana Xn), c= (c1, C2, Ree, Cn). Let & = (1, &, ssey. En), then 


gj(L) 


E[(é —¢)-u)/] = El(@ — 1/1] = Ly 


Based on Lemma 1.3.2, 


_ gi(L) _ det(L8(L") _ 8)(L*) 
pL) det(L*)pe(L")— pe(L*)’ 


E((é —c)-u)/] (1.4.7) 


In order to estimate 6.(L*), from Lemma 1.2.1 we get 6¢(x) = e277 n(x), thus, 
[Pc(x)| = p(x), note that ne(L) < 5 <1, 


LI =l+ D2 BM S1- YP [ae =1- p(L"\(0)) > 1-e. 
xeL*\{0} xeL*\{0} 
(1.4.8) 
To estimate g;(L*), assume pu! ; (x) is the j order partial derivative of o,.(x) about 
the first variable x), i.e. 


pas oY pata) 
If 7 = 1, 2, it is easy to get 
po (x) = —2n (a1 — €1) pe(@). 
p(x) = (4n?(x1 — 1)" — 270) p- (x). 


It follows that 


1 
81(%) =—5— Pc). 
JT 


grt) = p(x) + pee) 
42" ¢ yy on 
Since p{? (x) = (27ix1)/ Be(x), we have 
&1(x) = —ix16,(). 


er aa 
(x) = c= — X7)Pc(x). 
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; ‘ : Ix/? 
According to the inequality |x;| < //|x|2 <e7? and 7.(L) < 5, 


es 


Ix|f 


Igi(L*)| < » xi] - Oe(x)| = = Ixy|o(x) < > ere tl 


xeL* xeL*\{0} xeEL*\{0} 
< OF = m(L*\(0)) <e. (1.49) 
xeL*\(0} 


Combining (1.4.7), (1.4.8) and (1.4.9) together, 


_1a@9l - « 


ELE — 0) wil = GS poe 


For a general unit vector u € R”, there exists an orthogonal matrix M € R"*” such 
that Mu = (1,0,...,0). Denote 7 as a random variable from the discrete Gauss 
distribution Dy-1,, y-'c, for any x € L, 


<1). =1 (2 
Pu-'e(M—!x) eo7IM x—-M~c| 


Pr{n= M~'x} = ; = ; 
Pu-'¢(M— L) Pu-1¢(M— L) 


—m\|x—c|? 
e 2 


= Pr{é =x} = Pr{M'& = M'x}, 


which implies that the distributions of n and M~'é are the same, hence, 


€ 


JEL(E —c) wl] = |EIM'(E — c) - Mul| = [EL — Me) - Mul] < ——. 


Above all the inequality (1.4.3) holds, and inequality (1.4.4) could be proved in the 
same way. We complete the proof of Lemma 1.4.1. 


Lemma 1.4.2 For any n dimensional full-rank lattice L C R", c € R",0 < € < 1, 
S > 2n.(L), € isa random variable from the discrete Gauss distribution Dy.5.¢, then 
we have 


€ 
[ELE —c]I’ < (sn, (1.4.10) 
—e€ 
and ; 
Etlé —cl?] < (— + £52, (1.4.11) 
2x l-eE 
Proof Let uy, u2,...,U, be then unit column vectors of n x n matrix I,,, by Lemma 
1.4.1, 


|EIE — cll? = ) (ELE — ©) wil)? < GY, 


i=l 
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yen. 


n 1 
E(lg — el? = ) 7) ELE — 0) ui < G+ 


i=1 


_ 


Lemma 1.4.2 holds. 


Lemma 1.4.3 For any n dimensional full-rank lattice L C R", v € R",0 <€ < 1, 
Ss > n-(L), & is a random variable from the discrete Gauss distribution D5, then 


we have fat 
Pr{|— —v| > sVn} < —". (1.4.12) 
=6 


Proof From the proof of Lemma 1.4.1, here we only need to prove for the case 
s = 1. Since 


Prilé—vl>vaj= a 


xeEL,|x—-v|>/n 


2 5 2) 2G) 


7 yh 
xeEL,|x—v|>/n Po( ) Pr( ) 


’ 


take c = 1 in Lemma 1.3.4 and get 


p((L — v)\V/nN) <2-"p(L). 


That is, 
p(L) 


py(L) 


Based on Lemma 1.3.2, Lemma 1.2.1 and n.(L) < 1, 


Pr{|é—v| > Jn} <2" (1.4.13) 


pr(L) = |py(L)| = |det(L*) 6, (L*)| = |det(L") D2 ee" p(x)| 


xeL* 


> ldet(L*)|1 — Ye p(x)|) = Idet(L*)|(1-— > p(w)) 


xeEL*\{0} xeL*\{0} 
= |det(L*)|(1 — p(L*\{0})) > |det(L*)|(1 — €). (1.4.14) 


Similarly, 
p(L) = |p(L)| = |det(L*) p(L")| 


= |det(L*) D7 pay] = [det L|(1+ D7 play) 


xeL* xeEL*\{O} 


= |det(L*)|(1 + p(L*\{0})) < |det(L*)|(1 + ©). (1.4.15) 
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Combining (1.4.13), (1.4.14) and (1.4.15) together, it follows that 


Pr{lé—v| > Va} < < (tio. 


This lemma holds. 


For x € R" anda set A C R", we define the distance from x to A as dist(x, A) = 
min |x — y|. 
i ee 


Lemma 1.4.4 For any n dimensional full-rank lattice L C R", c, v € R",0 <€ < 
1, s > n.(L), & is a random variable from the discrete Gauss distribution Drs, 
dist(v, L*) > ce then 

l+e 


|\Bfe"** 7] < i a (1.4.16) 
—eE 


Proof From the proof of Lemma 1.4.1, we only need to prove for the case 5 = 1. 
Let 


2mix-v 


g(x) =e D(x). 


By Lemma 1.3.2, 


Eje2t#") = g(L) - det(L*)g(L*) _ &(L*) 
pc(L) — det(L*)p,(L*) — pe(L*)” 


We have proved that |6.(L*)| > 1—e in Lemma 1.4.1, based on (iii) of Lemma 
1.1.2 and Lemma 1.2.1, 


—2mi(x—v)-c 
tS 


8(x) = bc(x — v) = p(x — ve 
therefore, 


BL = 1D eG — ve P| < IY p(x — v) = p(L* — v). 


xeL* xeL* 
Since dist(v, L*) > ./n, we know 
p(L* — v) = p((L* — v)\V/nN). 
Take c = 1 in Lemma 1.3.4 and get 
p((L* — v)\VnN) < 2-"p(L*) = 2-"(1 + p(L*\f0)) < 2-1 +). 
Above all, 


pi * 
&(L*) 2 LP en 


E 2nié-v = < 
Ele" = |S al < 
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We complete the proof of Lemma 1.4.4. 


Lemma 1.4.5 For any n dimensional full-rank lattice L C R", w,c,v € R", 0 < 
€ <1,s > n.(L), € isa random variable from the discrete Gauss distribution Disc, 


dist(v, L*) > “, then 


l+e 


|E[cos(27(€ + w)-v)]| < i ae, (1.4.17) 
—e 
Proof By Lemma 1.4.4 we have 
Qni(E+w)-v Qmié-v Ie =n 
|E[cos(27(€ + w)-v)]| < |Ele }| = [Efe] < fae 


Lemma 1.4.5 holds. 


Finally, we give a lemma which will be used in the next chapter. 


Lemma 1.4.6 Let v1, v2,..., Um be m independent random variables on R" such 
that E[{|v;|*] < Land|E[y;]|? < € fori = 1,2,...,m. Thenfor any z = (z1, Z2,.--; 
Zm)? E R”, 

El) ¥\zivil?] < U + me)|z/. (1.4.18) 


Proof By Cauchy inequality we get )~""_; |z:| < ./m|z|, so 


Et) > zivil]= )> aizjEly- vj] = Do PE [P+ Do cizjElvi) - Elvj. 
i=l i,j i 


iAj 
(1.4.19) 
The first term of the right hand side in (1.4.19) has the estimation 


Lael [lui 2! =icF, 


The second term of the right hand side in (1.4.19) has the estimation 


1 
deez Elve] - Ely] < Dp leillel - 5 CEL? + |ELyjll) 
ixj iAj 


2 2 
< Yo elzillzsl < QQ teil)? < mela’. 
i 


izj 
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From (1.4.19) it follows that 


El] ¥oziviP] < d+ me)l2l. 


i=1 


This lemma holds. 
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Chapter 2 (®) 
Reduction Principle of Ajtai cree 


In 1996, the famous scholar Ajtai proposed the reduction principle from the worst 
case to the average case at the 28th Summer Symposium of the American Computer 
Society (ACM), named the Ajtai reduction principle [see Ajtai (1996), Ajtai (1999) 
and Ajtai and Dwork (1997)]. Subsequently, Ajtai and Dwork presented the first 
lattice-based cryptosystem, which is called the Ajtai-Dwork cryptosystem in the 
academic circles. The proof of this cryptosystem resisting Shor’s quantum computing 
is to apply Ajtai reduction principle to transform searching for collision points of 
the Hash function into the SIS problem, and Ajtai reduction principle proves that the 
difficulty of solving the SIS problem is polynomially equivalent to the shortest vector 
problem on lattice. The main purpose of this chapter is to prove the Ajtai reduction 
principle. 


2.1 Random Linear System 


Let A € ae be ann x m matrix on Z,, if each element of A is a random variable 
on Z,, and the n x m random variables are independent and identically distributed, 
then A is called a random matrix on Z,. We give the definition of random linear 
system 


y = Ax+z(modq), x Za y Zi z Li (2.1.1) 


where x, y, z are random variables on Z? and Z/, respectively. This random lin- 
ear system plays an important role in modern cryptography. We prove some basic 
properties in this section. 


Lemma 2.1.1 Let A € Z)*" be an invertible square matrix of order n, y = Ax (mod 
q), then y is uniformly at random on Z/ if and only if x is uniformly distributed. 
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Proof If x is uniformly distributed on Z{, then for any xo € Zj, we have 


1 


Pr{x = xo} = —. 
q” 


Since there is only one yo € Zi => Axo = yo (mod gq), therefore, 


1 
Pr{y = yo} = Pr{x = xo} = re 


Because A is an invertible matrix, there is a one-to-one correspondence between yo 
and xo. In other words, when xo traverses all the vectors in Zi yo also traverses all 
the vectors in Z7, which means y is also uniformly at random on Z{. On the other 
hand, if y is uniformly distributed on Z7, so is x on Z7 by x = A~'y (mod q). 


Remark 2.1.1 In fact, for the above linear system, x and y are random variables with 
the same distribution when A is an invertible square matrix. However, this property 
doesn’t hold if A is not a square matrix. 


Let a € R be a real number, [a] be the greatest integer no more than a, 1.e. [a] is 
the only integer satisfying the following inequality, 


[a] <a < [a] +1. 
If x € R” is ann dimensional vector, x = (x1, X2,..., Xn), we define [x] as follows 
[x] = (41), De], ---, en] € 2". 
[x] is called the integer vector of x. We say x is a random vector, which means each 


element x; is a random variable, and the n random variables are mutually indepen- 
dent. 


Lemma 2.1.2 /fx € [0, 1)” is a continuous random variable uniformly distributed 
on the unit cube, then [qx] is a discrete random variable uniformly on Zj. 


Proof Since all the components of x are independent, we only prove for n = 1. 
If a € [0, 1) is a continuous random variable uniformly distributed, then for any 
i=0,1,...,q— 1, we have 


j 1 
Pr{lqa] =i} = Pr{i<ga<it+l}=Pr{_<a< -. 
q q q 


This indicates [ga] is a discrete random variable uniformly distributed on Z,. 
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Lemma 2.1.3 Let L = L(B) be an dimensional full-rank lattice, F (B) is the basic 


neighbourhood of L. If x is a random variable uniformly distributed on F(B), then 
[qB~'x] is a discrete random variable uniformly on Lay 


Proof Va € Z7, we have 


Bia+1) 
<= 
q 


1 Ba 
Pr{[gB x] =a} = Pr{— <x }. 
q 


Since the volume of basic neighbourhood F'(B) is det(L) = |det(B)|, the probability 
1 


density function of x is dak)’ thus, 
Bia+l) atl 
q q 
B B 1 1 det(B 1 
Pr{ See <")= [ dy = eet Wie 
qd qd det(L) det(L) q" 


Ba 
q 


We set y = Bu in the above equality, and get 


Pr{{qB°'x] =a}s= -, 
q 


So [qB~'x] is uniformly distributed on Zi: 


2.2 SIS Problem 


The SIS problem plays a very important role in modern lattice cryptography, which 
is to find the shortest nonzero integer solution in a class of random linear systems. 


Definition 2.2.1 Let n,m, q be positive integers, m > n, A € Z/*" is a uniformly 
distributed random matrix on Z,, 8 € R, 0 < B < q. The SIS problem is to find the 
shortest nonzero integer vector z € Z” such that 


Az =0 (mod q), andz £0, |[z| < B. (2.2.1) 


We call the above SIS problem with parameters n,m, q, A, B as SISy,¢,6,m, and A is 
called as the coefficient matrix of SIS problem. 


Remark 2.2.1 Ifm <n, since the number of variables is less than equations, (2.2.1) 
is not guaranteed to have a nonzero solution, so we suppose that m > n. If B > q, let 
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q 
0 

z=]. | € Z", we have Az = 0 (mod gq), and |z| = q < f. This solution is trivial 
0 

so that we always assume that 6 < g in Definition 2.2.1. 


Remark 2.2.2 The difficulty of SIS problem decreases when m becomes larger, 
while it increases as n becomes larger. In fact, if z is a solution of SIS;.4,6,m,m' > m, 


[A, A’] is the coefficient matrix of SIS, 4,8’. Let z’ = (5). then 


[A, A’]z’ = [Az, 0] = 0 (mod q). 


So z’ isa solution of SIS, 4, m’. Ifa solution satisfies n + 1 equations of SIS problem, 
it also satisfies n equations of SIS problem. Therefore, the difficulty of SIS problem 
increases when n becomes larger. 


Lemma 2.2.1 For any positive integer q, any A € Z(*", and B > mq, the SIS 
problem has a nonzero solution; i.e. there exists a vector z € Z", z # 0, such that 


Az =0 (mod q), and |z| < B. 


Proof Letz =| : | € Z”, weconsider the value of coordinate z; inO < z; <q — 


Zm 
It’s easy to check that there are more than g” such integer vectors. Thus, we can find 
z’ and z” such that z’ 4 z”, Az’ = Az” (mod q), i.e. 


A(z’ — 2’) = 0 (mod q), and |z’ — z”| < /mqn < B. 


We complete the proof. 


By the above Lemma and Remark 2.2.1, in order to guarantee there is a non- 
trivial solution of the SIS problem, we always assume the following conditions of 
parameters 

n<m, J/mq™ <B <q. (2.2.2) 


Since the difficulty of SIS problem decreases when 6 becomes larger, we always 
suppose that 
B = mq”. (2.2.3) 


Furthermore, we call n as the security parameter of SIS problem, m = m(n), q = 
q(n), B = B(n) are functions of n. By (2.2.2) and (2.2.3), ifm and q are polynomial 
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functions of n written as m = poly(n), g = poly(n), then 6 is also a polynomial 
function of n, i.e. 6 = poly(n). Let U (Zy"”") be all the m x m random matrices 
uniformly distributed on Z,, we call all the possible SIS problems as SIS, in, i.e. 


SIS 9m = {q(n), U(Zn""), B()}n- 


SIS, ,m problem is called the total SIS problem, which plays an ‘average case’ role 
in the Ajtai reduction principle. The parameters are selected as 


m = poly(n), q = poly(n), g* = O(1) > B = O(/m). (2.2.4) 


Definition 2.2.2 Let A € U(Zi*"), SIS’n.g,6,m Problem is to find z € Z", z ¢ 2Z”, 
such that 
Az =0 (mod q), and |z| < B. 


In fact the goal of SIS’ problem is to find a solution of SIS problem with at least 
one odd integer of all the coordinates. The relation between solutions of the two 
problems could be summarized in the following lemma. 


Lemma 2.2.2 Suppose q is an odd integer, then there is a polynomial time algorithm 
from the solution of SIS problem to SIS’ problem. 


Z1 
Proof Ifz= | : | € Z" isa solution of SIS problem, then there exists an integer 
Zn 
k > 0, such that 2-*z ¢ 2Z”. Let z= 2-*z, since q is an odd integer, based on 
Az = 0 (mod q), we have 


Az’ =2-*Az =0 (mod q), 


and |z’| = 2~*|z| < 2-*B. This means 2’ is a solution of SIS’ problem. The com- 
plexity of calculating z’ from z is polynomial (polynomial function of 1), and this is 
because 

Time{compute z’} = O(nlog’q) = poly(n). 


The above formula also holds even if g is an exponential function of n. 


SIS problem and Ajtai-Dwork cryptosystem have close relation. Let f4(z) = Az 
be Hash function, z’ and z” be the collision points of f4(z), then 


falZ) = fale") (mod g) > A(z’ — z”) = 0 (mod q). 
It’s easy to obtain a solution of SIS problem if we can find two collision points of 


fa. In this sense, Hash function f,4(z) is strongly collision resisted. The security of 
Ajtai-Dwork cryptosystem mainly depends on the difficulty of solving SIS problem. 


38 2 Reduction Principle of Ajtai 


SIS problem could be regarded as the shortest vector problem in the average case. 
Let 
A; (A) = {z € Z” | Az = 0 (mod q)}. 


Then AS (A) is an m dimensional qg-ary integer lattice. In fact, solving SIS problem 
is equivalent to find the shortest vector of A+(A). 

If AcU (ZV) is the coefficient matrix of SIS problem, we can discuss SIS 
problem by transforming it to Hermite form. Let rankA = n, the matrix A; € Zj*" 
constructed by the first n column vectors of A is an invertible matrix. Suppose 
A =[A}, Ao], replace A with A, A, we have 


A, 'A=Lh, A= Aj‘ Al. (2.2.5) 


Since Az is a random matrix uniformly distributed, by Lemma 2.1.1, A is also a 
uniform random matrix with dimension n x (m — n). 


Lemma 2.2.3 The solution set of SIS problem with coefficient matrix A is the same 
as that of coefficient matrix Am 


Proof Let z € Z” such that 
Az =0 (mod q), and0 < [z| < B. 
Then Aj Az = 0 (mod q), z is the solution of SIS problem with coefficient matrix 


A, /A. On the other hand, if Ay'Az = 0 (mod q) > Az = 0 (mod q), Lemma 2.2.3 
holds. 


We call the coefficient matrix Ay A determined by (2.2.5) as the normal form of 
SIS problem. 

Finally, we define some hard problems on lattice. We always suppose L = L(B) C 
R” is a full-rank lattice, 4,, A2,..., A, are the lengths of the continuous shortest vec- 
tors in lattice L, 4; is the length of shortest vector in L, y = y(n) > | is a positive 
function of n. 


Definition 2.2.3 (1) SVP: find a nonzero vector x in lattice L such that 
Ix] < y(m)ai(L). (2.2.6) 
(2) GapSVP,,: determine the minimal distance 4; = 4,(L) of lattice L, 
AV(L) < 1, or Ay (L) > y(n). (2.2.7) 


(3) SIVP,,: find a set of n linearly independent lattice vectors S = {s;} C L, such 
that 
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|S| = max |s;| < y(7)An(L). (2.2.8) 


(4) BDD,: let d = A, (L)/2y(n) be the decoding distance of lattice L. For any 
target vector t € R", if 


dis(t, L) = min |x ~ 1] <d = A4(L)/2y (0), (2.2.9) 


then there exists only one lattice vector v € L = |v — t| < d. The bounded decoding 
distance problem BDD,, is to find the only lattice point v. 


The above Definition 2.2.3 gives four kinds of hard problems on lattice. SVP, 
is called the approximation problem of the shortest vector. GapSVP,, is called the 
determination problem of the shortest vector. SIVP,, is called the approximation 
problem of the shortest linearly independent group. BDD, is called the approxima- 
tion problem of bounded decoding distance problem. 

Since parameter y(n) > 1, the bounded decoding distance d satisfies 


1 
d=h,(L)/2y(n) < rite). 


If the target vector t € R” satisfies the above decoding distance, i.e. dis(t, L) < d, it 
is easy to see there is only one lattice vector v € L => |v — t| < d. In fact, if vy; € L, 
v2 € L > |v; —t| <d, |v2 —t| < d, by triangle inequality 


|v; — v2| < |v — t| + |v2 —t| < 2d <A, (L). 


This has a contradiction with that the minimal distance of lattice L is 4, (L). 

The Ajtai reduction principle is said that the above SIVP,, and GapSVP,, problems 
are polynomial equivalent with average case SIS problem. We will prove this in the 
next section. 


2.3. INCGDD Problem 


Let S = {a;} C R" be a set of vectors in R”, we define 
[S| = max |ay;|. (2.3.1) 


Definition 2.3.1 Let L = L(B) C R" bea full-rank lattice, S = {a), @2,...,@,} C 
L be a set of any n linearly independent vectors in L, t € R” be the target vector, 
r > y(n)¢(B) be areal number. INCGDD problem is to find a lattice vector a € L 
such that 


1 
Pst ee (2.3.2) 
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where g, y(n) and @(B) are parameters. Under the given parameter system, INCGDD 
problem could be written as IN' CGDD?, ss 


Remark 2.3.1 The key of the INCGDD problem is that for the set S of any given 
n linearly independent vectors and any target vector t € R”, to find a lattice point 
a € L,such that the distance between a and the target vector is no more than 4| S| +r. 
By the nearest plane algorithm of Babai, for any S and f, there exists a polynomial 
algorithm finding 


1 
la 11 < 5vals|. (2.3.3) 


In general, the above formula cannot be improved. We can give a counterexample. 
Let L = Z", S = I, be an identity matrix, the target vector t = G. 5, re 5), then 
Va € Z", we have 


n 1 1 
la —t| > [f= i 5VnlSI. 


So there is no lattice point a with the distance no more than +|8 | from f. 


Based on the above counterexample, the parameter selection for INCGDD prob- 
lem is generally g = 4. r in (2.3.2) is called the controlled remainder, which could 
guarantee the existence of lattice vector a. Under given parameter system, the 
INCGDD problem can be transformed into the SIS problem of the corresponding 
parameter system. This transformation is the key idea of Ajtai reduction principle. 
We call this transformation algorithm the oracle algorithm, written as A(B, S, t). 


oracle algorithm A(B, B, 0). 


We first explain how the oracle algorithm works in a very special case. Let S = B 
be the generated matrix of L, the target vector t = 0, parameters of corresponding 
SIS problem are as follows 


q(n) = n’, m(n) = nlogn, B(n) =n. (2.3.4) 


Since B > ./mq™, by Lemma 2.2.1, the total SIS problem SIS,,m has a solution. 
The oracle sampling algorithm that converts the INCGDD problem into the SIS 
problem is actually a probabilistic algorithm, which can be divided into the following 
four steps. 
The first step: let F(B) be the basic neighbourhood of L = L(B), defined by 


F(B) = {Bx | x € [0, 1)"}. 
We select a point c € F(B) uniformly in F(B). Let y € L be the nearest lattice 


vector to c, we obtain a pair of vectors (c, y). Repeat this process independently m 
times and get m pairs of vectors (cy, y1), (C2, Y2), +++; (Cm; Ym), here m > n. 
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The second step: for each c; (1 < i < m), we define ¢;, 
& = BiqB"'c)]/q, 1<i<m. (2.3.5) 
Let c; = Bx;, where x; = (x;,, xi,,---,Xi,)’ € [0, 1)", so we have 
1 4 1 1 1 
—[qB°'c;] = (—[9xi,], —laxin].---, —[9%i, ))- 
q q q q 
Each coordinate satisfies 


0< Lqxi,] < xi, <1, j=1,2,...,n. 


Q le 


Thus, ¢; € F(B). Let c; — 6 = Bu;, v; = (vj,, Vn, ..-, U;,)7, then 


1 1 
O0<u, =x, — [qx] < -. (2.3.6) 
q q 


Therefore, the distance between ¢; and c; has the following estimation. Suppose 
B=[fi,..., Bn], it follows that 


n 


n 
IG — ci = 1 > Bevigl < > loi, 11 Bel 
k=1 


k=1 


n 1 . 4 

< —-|B| = =a Bl (since g =n") 
q n 

The above formula holds for all | < i < m. We can give a geometric interpretation 

of ¢;. Divide the basic neighbourhood F(B) into q” polyhedra with side length a 

and each polyhedron is denoted as A;, where 

7 k-1 


k 
, ie < -, Lek <q}. 
q q 


Aj = {Bx | x = (x1, X2,...,Xn) 


Since {c;}/_, are uniformly distributed in F'(B), each polyhedron A; contains at least 
one c point under positive probability, written as c;. Based on Vol(A;) = qrdet(L), 
so 


1 
Pr{c; € Aj} = — > 0. (2.3.7) 
q” 


According to (2.3.5), both ¢; and c; are contained in the polyhedron A,, and ¢; is the 
point at the bottom left corner of A;. From Lemma 2.1.3, since {c;} is uniformly at 
random in F'(B), then AC B~'c;] is uniformly distributed. Based on Lemma 2.1.1, 


{¢;} is also uniformly distributed at random. Let 
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C= [c1, C2, 2065 CmInxm- 
Y = Ly, 25 00s Yndnxm- (2.3.8) 
C= [¢\, , sees Cm laxin: 


We get three n x m matrices. 
The third step: now we define m n dimensional vectors a; € Zi l<i<cminZ, 


a; = [qB™'c;] (mod gq), 1 <i<m. 


Then 
A = [d),42,.--,4m|nxm € ‘ime (2.3.9) 


According to Lemma 2.1.3, A is a random matrix uniformly distributed. Suppose z 
is a solution of SIS, mg problem, i.e. 


Az = 0 (mod gq), and0 < |z| < 8B, zEZ”. 


Combining z and {¢;}, 
i 1 
Cz =[BlqB 'c1]/q,..., BIB" 'cm)/q]z = B- rad € L(B). 


Since Az = 0 (mod q) > Az € Z", we get a lattice vector CzeL. 
The four step: Similarly, combining z and {c;}/_,, {y;}7_,, we get two vectors Yz 
and Cz. Let z = (z}, Z2,.--, Zm)/, then 


Z1 

22 my 
Yz=[y1, y2,---, Ym] ; = czy €L. 

: i=l 


Zz m 


Both Cz and Yz are lattice vectors, let a = Cz-Yz= (C —Y)z € L. Weare to 
prove that @ is a solution of INCGDD problem. Denote |z|; as the /; norm of z, it 
follows that 


m 


zl = >> lzil < Vmizl. (2.3.10) 


i=1 


The major part of the length ofa = Cz —Yzis |Cz — Cz, which could be estimated 
as follows 


A m * n n/m 
ICz— Cal = 1) Me — Gdzil < T1Bllzh < “wm Bl (2.3.11) 


i=1 
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Select the parameters m = nlogn, q = n*, B =n, when n is sufficiently large we 
have, 


bs 1 
ICz—Cz| < 4 4l- 


The minor part of length |Cz — Yz| of w could be calculated by the nearest plane 
algorithm of Babai [see (2.3.3)]: 


1 
ICz-Yz< Vn Bl. 
Let 6(B) = |B|, y(n) = 3,/n, then 
, i 1 
Jal = |Cz — Yz| < |Cz —Cz| + |Cz—-Yzl< rita +r, 


where r > y(n)(B). In other words, based on a solution z of the SIS, ,,g problem, 
we can get a solution of the IN CGDD?, g Problem for generated matrix B and the target 
vector tf = 0 by a probabilistic polynomial oracle algorithm. Here the parameters are 
chosen as g = 4, y(n) = +/n, b(B) = |B. 

The above oracle algorithm is a simple simulation of the reduction principle for 
INCGDD problem by setting S = B and the target vector t = 0. Given any n linearly 
independent vectors S = {a),a@2,...,@,} C Land target vectort € R", general ora- 
cle algorithm A(B, S, t) will complete the whole technical process of transforming 
the INCGDD problem into the SIS problem, which is the core idea of Ajtai reduction 
principle. We begin from two lemmas. 


Lemma 2.3.1 (Sampling lemma) Let L = L(B) C R” be a full-rank lattice, F(B) 
be the basic neighbourhood, t € R" be the target vector, s > n_(L) be a positive 
real number. Then there exists a probabilistic polynomial time algorithm T (B, t, s) 
to find a pair of vectors (c, y) € F(B) x L(B) such that 

(i) The distribution of vector c € F(B) is within statistical distance sé from the 
uniform distribution over F(B). 

(ii) The conditional distribution of y € L given c is discrete Gauss distribution 
Di 5,040): 


Proof The process of sampling algorithm 7 (B, t, s) could be proved as follows: 
1. Since the density function of Gauss distribution D, ;(x) is 


1 z 2 
= —3|x-1/° 
Ds (x) = an s , 


the corresponding random variable is denoted as D, ;. Let r € R” comes from dis- 
tribution D, ,, and r is called the noise vector. 
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2. Let c € F(B), c= -—r (mod L), y=c+r € L be output vectors, (c, y) be 
the output result. 
Since r is generated by Gauss distribution in R”, it follows that c has the distri- 
bution — D, ; mod L in the basic neighbourhood F'(B). We can prove 
— Ds, mod L = D,-; mod L. (2.3.12) 


Then the statistical distance between the c and the uniform distribution on F(B) is 


A(c, U(F(B))) = A(—D,,, mod L, U(F(B))) = A(D,,-, mod L, U(F(B))) < =e. 


Nie 


On the other hand, y = c+ 7 € L, if cis fixed, the distribution of y € L is the discrete 
Gauss distribution Dz_s (++). We complete the proof. 


Lemma 2.3.2. (Combining lemma) Let q be a positive integer, L = L(B) C R" bea 
full-rank lattice, F (B) be the basic neighbourhood. For any full-rank subset L(S) C 
L(B), where S = [a1, 2, ..., &,], there is a probabilistic polynomial time algorithm 
T,(B, S), form vectors C = [c1, C2, ...,; Cm] uniformly at random in F(B), we can 
find a random matrix A € Z{*" uniformly distributed and a lattice vector x € L(B), 
such that 


1 
Ix —Cz| < cowimisilzh (2.3.13) 


where z € Z'", and Az = 0 (mod q). 


Proof Suppose {a, a@2,...,@n,} C L aren linearly independent lattice vectors, and 
S = [a1,Q2,...,@,] generates the full-rank lattice L(S) C L(B). Let FS) be the 
basic neighbourhood of lattice L(S). It is easy to see that F(B) C F(S). For any 
m vectors {c;}/., uniformly distributed in F(B), we can choose m lattice vectors 
{U1, U2,..., Um} C L(B) by sampling lemma. The corresponding vector in the basic 


neighbourhood F(S) is denoted as v; mod L(S), such that 


{v; mod L(S)}"_, C F(S) are uniformly distributed. 


i=] 
In other words {v;} is selected from the quotient group L(B)/L(S), satisfying v; ¥ 
v; (mod L(S)), and {v; mod L(S)}"_, are uniformly distributed in F(S). We still 
write v; (mod L(S)) as v;, and let 
w; =c; + v; mod L(S), i=1,2,...,m. 


It follows that {w;} is uniformly at random in F(S). For 1 <i 4 j < m, we have 


vu; # v; (mod L(S)) > vj + F(B) # v; + F(B) (mod L(S)), 
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so {u; + F(B)}""_, forms a split of F (S) with the same volume. We get {w;} C F(S) is 
uniformly distributed according to {v;} is uniformly atrandom. Suppose the following 
two matrices C and W are 


Cc = [c1, C2, CE Cm]; Ww = [w1, W2, shee gy Wm. (2.3.14) 
Define m vectors uniformly distributed in Z7 as 
a; = [qS~'w;] (mod q), i = 1,2,...,m. (2.3.15) 


By Lemma 2.1.3, since {w;}is uniformly atrandomin F'(S), then A = [a, a2,..., 4m] 
is ann X m dimensional uniform matrix, A € Le Let ze ae (A), then 


zegn 


ne and Az = 0 (mod q). 


Define the vector x i 
x=(C—W+4+-SA)z. (2.3.16) 
q 


We first prove x € L(B) is a lattice vector. From the definition of vector x, we have 


1 m 1 
x=(C—-W+ 7 sale = Va — wz + 7 oAe 


i=1 


Note that 
c — wi = (CG + Uj) — wi) — Uj, 1<i<m, 


since c; + v; = w; (mod L(S)) > 
c+ uj; — w; € L(S) C L(B), 
and each v; satisfies v; € L, it follows that c; — w; € L, 1 <i <m. On the other 


hand Gaz € Z", we get 7 SAZ € L(S). Thus, we confirm that x € L. Finally, we 
estimate the distance between x and Cz. 


m S 1 m 
ln — Cz] =| Sw; — Sade = 18 Su; - les zil, (2.3.17) 
i=1 q 2 3 
d, 
dy 
where u; = qS~'w;. It is easy to see, foranyd =] . | € R’, 
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n n 
|Sd| =|} disil < Yo Idillsil < |Slldh. (2.3.18) 
i=l i=] 


Since 


m m 


m 
|S @i = eDaily < YO leila — will <2 YO zi] < nvmizl, 
i=] 


i=1 i=1 


by (2.3.17) and (2.3.18) we get 


1 
Ix — Cz] < ee: 


So we finish the proof. 


2.4 Reduction Principle 


The Ajtai reduction principle is to solve hard problems on lattice in general case. For 
example, SVP, SIVP and GapSVP problems can be transformed to SIS problem by 
a polynomial algorithm with positive probability, so the difficulty of SIS problem is 
polynomial equivalent with that of lattice problems. This principle from general to 
average case is called Ajtai reduction principle from the worst case to the average 
case in academic circles. 

We start by proving that the INCGDD problem could be transformed to the SIS 
problem. Denote the INCGDD¢, g problem with parameters as {B, S, t, r}. For any n 
linearly independent vectors S in a full-rank lattice L = L(B) and any target vector 
t € R”, our goal is to solve a lattice vector s € L such that 


1 
ls—t|< —|S| +r, (2.4.1) 
g 


where g > 0 is a positive real number, r > y(n)@(B). 


Theorem 2.4.1 (From INCGDD to SIS) Given parameters g = g(n) > 0, m, B are 
polynomial functions ofn, i.e.m = n°, B = n?, € = €(n) is anegligible function 
of n, ie. € < + (k > 0), @(B) = ne(L), and 


y(n) = B(n)Jn, q = qn) > g(n)nV/mB(n). (2.4.2) 


Under the above parameter system, there is a probabilistic polynomial algorithm, 
which could transform the INCGDD§, g problem to the SIS problem. 
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Proof The probabilistic polynomial algorithm in Theorem 2.4.1 is called the oracle 
algorithm, written as A(B, S, t). In the last section, we introduce the oracle algorithm 
detailedly in special case with S = B and the target vector t = 0. Now we give the 
work procedure of general oracle algorithm A(B, S,t) by sampling Lemma 2.3.1 
and combining Lemma 2.3.2: 

1. Select two integers j and w uniformly at random, such that 


j€{l,2,...,m}, -B<a<B,a£0. 


For a given target vector ¢ € R”, and positive integer j, we define m vectors ¢; (1 < 
i <m)as 


1 “pe F 
_ jog, ifi=j. 
t= O. dey. (2.4.3) 
2. For each i = 1, 2,...,m, according to the sampling algorithm T(B, ¢;, +) in 


Lemma 2.3.1, i.e. lett =t;,5 = =r, we get 
(ci, vi) € F(B) x L(B). 


Note that r > y(n)@(B), so 
2r 
s= a 2 2(B) = 2n.(L). 


3. Define two matrices 


C= [c1, C2; eg Crills Y= Ly, Y2> 2344 Ym: 


4. Based on the given matrices § C L(B), C € F(B)” and the parameter g, we 
can find a uniform random matrix A € Z;””, a solution z of the corresponding SIS 
problem, and a lattice vector x € L(B) by the combining algorithm in Lemma 2.3.2 
satisfying 

1 S 
|x — Cz| < —nJ/m|S||z| < By (2.4.4) 
q & 

5. Let s = x — Yz, then s € L(B) is a solution of the INCGDD problem, such 

that 


1 
ls—t]< mle +r (2.4.5) 


holds with a positive probability. The above oracle algorithm A(B, S, ft) could be 
represented in the following graph 
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tr > (1, y1) 
n Sampling : CeF(B)” [We F(S)"] Combining [x € L(B) 
t € R® ——> : rs nxm | ———— mios 
Algorithm , YeL(By" L Ae Zy Algorithm | z € Z@ 


tm > (Cm, Ym) 


Since x, Yz € L(B), it follows that s = x — Yz € L(B). Next we are to estimate 
the probability that the inequality |s — r| < AD) | +r holds. We write 5 > 0 as the 
positive probability when solving the SIS problem successfully. The event Hj, 
denotes getting a solution z = (Zz), Z2,..., Zm)! of the SIS problem with z; = a, 
and its probability is 6;,,, where 1 < j <m, —B <a < B, a £0. If we obtain a 
solution z of the SIS problem successfully, then at least one of these 2B events Hj,q 


occurs. Therefore, 
peor 
ja 


there is a pair of j,@ such that Pr{Hj 4} = dj 2 > 0. We assume that the 


8 
2mB 
event Hj, occurs and estimate the conditional probability of |s — t| < aly | +r. Let 
T =([t, to,..., tm], then Tz = t;z; = —t. By the triangle inequality, : 


S 
s=4| <x Cz/F1C = Ye n< ai C—T)zl. 


We have : 
Pr{|s —t| < —|S| +r} > Pr{\(¥Y —C-—T)z| <r}. 
& 


Based on the sampling Lemma 2.3.1, y; has discrete Gauss distribution D7) 2 .¢.44,- 
According to Lemma 2.4.2 in Sect. 1.4, it follows that 


2 1 € 2r 5 
Ellyi — (a +t) < G+ )(—)n, 
2x |l-e y 
and 
€ r 
EL — G+ 4)1? < (—)(—)’n. 
l-e sy 
Since y;, y2,.-., Ym are independent, by Lemma 4.6 in section 1.4, 


€ 


m 
1 € 2r 1 2r 
Ell loi — Gi + H))zil71 << = + +m(—)*)(—)? nz? < 2(—)?nlzl?. 
a 2x l-e l-e y y 


Combining |z| < 6 and y = B./n, we get 


12 2 
EIMY —C—T)2P'1 < GS Paleh < 307, 
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Using Chebyshev inequality, 


Pr{\((Y —-C-T)z|>rn}< EY - C-T)zP]< 


WIN 


By (4.6), 


wile 


1 
Prijs =2| <= —[S|--r} 2 Pril@ =C—T)z) <r} 2 
& 
Note that the above inequality holds under the assumption Hq, i.e. 


wl Re 


1 
Pr{|s—t] < —|S| +r | Aja} 2 
& 


Finally, we have the estimation 


1 1 
Pri =e) <8 47S Pile 41S S| FR hed 
8 & 
Hee Stee Pies <-s0 
= Pr{|s—t| <- r| Aja}: Pr{Hjo} 2 =- > 0. 
g ey 3 2mB 


This means |s — t| < Ay | + r holds with a positive probability, so we complete the 
proof of Theorem 2.4.1. 


In the above proof, we have completed the whole process of transforming the 
INCGDD problem to the SIS problem, and prove that the difficulty of the INCGDD 
problem is polynomial equivalent with that of the SIS problem. This realizes the 
reduction principle from the worst case to the average case, which is the main result 
we introduce in this section. For hard problems on lattice, such as SIVP and GapS VP 
problems, based on Theorems 5.19, 5.22 and 5.23 in Micciancio and Regev (2004), 
we can transform them to the SIS problem equivalently. By Theorem 2.4.1, the 
difficulty of hard problem on lattice is polynomial equivalently with that of the SIS 
problem. In addition, the following Theorem 2.4.2 provides another way of reduction 
from SIVP to SIS problem. 


Theorem 2.4.2 (From SIVP to SIS) Let the parameter m be a polynomial function 
of n,ie.m=n?, B>0,q > 2Bn°™, y = Bn?™, then the difficulty of solving 
the SISn.q,p,m problem by a probabilistic polynomial algorithm is not lower than that 
of the SIVP,, problem. 


Proof We are to prove that if there is a positive probability polynomial algorithm to 
get the solution of the SIS, 4,4,m problem, so is the SIVP, problem. In other words, 
we can find n linearly independent vectors S = {s;} C L, such that |$| = max |s;| < 
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y (n)4,(L). Based on a set of linearly independent lattice vectors $ C L (Sis initially 
the generated matrix B of lattice L), the idea of the reduction algorithm is using the 
oracle algorithm to obtain a set of new linearly independent lattice vectors S$’ C L 
satisfying |S’| < |S|/2. Repeating this process and we can finally get the solution of 
the SIVP, problem. Let g > 2Bf(n), f(n) be a polynomial function of n. We give 
the work process of this reduction algorithm. 

1. According to the sampling lemma and combining lemma, generate m short 
vectors uv; € L in the basic neighbourhood of lattice L(S) such that |v;| < |S| f(™), 
i=1,2,...,m, V = [vq, v2,..., Um. 

2. Let A= B~'V (mod q), by the combining lemma we know A is uniformly 
distributed in Lies Solve the SIS problem Az = 0 (mod q) with |z| < 6 and obtain 
a solution z. 

3. Let s = Vz/q. Repeat these three steps and generate enough vectors s so that 
there are n linearly independent vectors, denoted as 51, 52, ..., 5,. Suppose the matrix 
S' is S’ = [s1, 50, ..., Sp]. 

We are to prove that |S’| < |S|/2. Firstly, note that s € L. This is because 


Vz= B(Az), Az = 0 (mod q), 
so B(Az) € gL and s = Vz/q = B(Az)/q € L. Secondly, 
Is] =|Vzl/q < |VIB/¢ < |S| f(™)B/2BF(n)) = |S|/2. 


This means |S’| < |S|/2. Replace S with S’ and repeat the above three steps until 
|S’| < y(n)A,(L), then we confirm that S’ is a solution of the SIVP, problem. 


At the end of this section, we show that the difficulty of some other hard problems 
on lattice are polynomial equivalently with that of the SIS problems. We give another 
two definitions about hard problems on lattice. 


Definition 2.4.1 (1) GIVP9: find a set of n linearly independent vectors S = {s;} C 
L, such that 
|S] = max |si| < y(1)P(B), (2.4.6) 


where y(n) > 1 is a positive function of n, B is the generated matrix of L, and ¢ is 


areal function of B. 
(2) GDD: let t € R” be a target vector, find a vector x € L, such that 


Ix —t| < y(n) (B), (2.4.7) 
where B is the generated matrix of L, and ¢ is a real function of B. 


If @ = i, is the nth continuous minimal distance of lattice L, the GIVP? problem 
in the above definition becomes the SIVP,, problem in Definition 2.2.3. Here we 
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give two lemmas to show that the above two problems could be reduced to the SIS 
problem. 


Lemma 2.4.1 For any function y(n) > 1 and ¢, there is a polynomial reduction 
algorithm from GI VFS, to IN CGDD% . problem. 


Proof Suppose B is a generated matrix of lattice L, our goal is to find a set of n 
linearly independent vectors § = {s;} C L such that 


|S] = max |s;| < 8y (1) p(B). 


We use the idea of iteration to achieve this goal. Initially, let S = B. If S satisfies the 
above condition, then the solution has been found. If S does not satisfy the above 
inequality, assume S = [s, 52,..., 5,], and suppose that 


[Sn| = max |s;|, 
l<i<n 


i.e. s, is the longest vector among 5), 52,...,5,. Let t be a vector orthogonal to 
S1,52,---,Sn,—1, and |t| = |S|/2 = |s,|/2. Here the vector t can be constructed by 
the Schmidt orthogonalization method. Based on the reduction algorithm in Theo- 
rem 2.4.1, we solve the INCGDD problem with parameters {B, S, t, |S|/8}. If the 
algorithm fails, then we have 


S 
_ a < y(n)p(B) > |S| < 8y(n)(B). 


This implies S is a solution of the GIVP§, problem. If the reduction algorithm solves 
the INCGDD problem successfully, then we get a vector u, such that 


lu—t|< a +r= 18 
It follows that 
|u| < |t|+ Le a 
u — = —. 
> 4 4 
Itis easy to verify u, 51, 52, ..., S,—1 are linearly independent. Otherwise, u is orthog- 
onal to ¢ since ¢ is orthogonal to 51, 52, ..., 5,1. Thus, 
ISP 2 2 2 ¢ SP 
— 2lu-t|* = lui? t+ [el = |t|° = —. 
re ee = dP + PS Pe = 
It is a contradiction. So u, 51, 52,...,5,—-1 are linearly independent. Let S’ = 
[51, 52, .-+5 Sp_1, UJ, |S’| < |S], repeat the above process for S’ and we get a solution 


of the GIVP§, problem finally. Lemma 2.4.1 holds. 
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Lemma 2.4.2 For any function y(n) > 1 and ¢, there is a polynomial reduction 
algorithm from GDDS, to INCGDD% . problem. 


Proof Assume B is a generated matrix of lattice L, t € R” is the target vector. Our 
goal is to find x € L, such that 


Ix —t| <3y(n)P(B). 


According to Lemma 2.4.1, we can find a set of n linearly independent vectors 
S = {s;} C L such that |S| < 8y(n)@(B). Let r be a real number satisfying the 
INCGDD problem with parameters {B, S, t, 7/2} fails, and {B, S, t, r} successfully 
solves a solution x. In fact, the real number r in this range r/2 < y(n)@(B) <r 
could satisfy the above condition. It follows that 


S S 
pe = 47 a + 2y(n)$(B) < 3y (n)o(B). 


So we get a solution of the GDD§, problem. We complete the proof. 


In Lemma 2.4.1 and Lemma 2.4.2, we transform the GIVP? and GDD? prob- 
lems to the INCGDD§, g problem. While Theorem 2.4.1 tells us the difficulty of the 
IN CGDD?, g Problem is polynomial equivalent with that of the SIS problem. So we 


have proved that the GIVP? and GDD¢ problems are polynomial equivalent with the 
SIS problem. 
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Chapter 3 M®) 
Learning with Error rie 


Learning with error was proposed by O. Regev in 2005 (see Regev, 2009), which can 
be regarded as a dual form of SIS problem. LWE has very important applications in 
modern cryptography, such as LWE-based fully homomorphic encryption. The main 
purpose of this chapter is to explain the mathematical principles of the LWE problem 
in detail, especially the polynomial equivalence between the average LWE problem 
and the hard problems on lattice, which is one generalization of the Ajtai reduction 
principle and solves the computational complexity of the LWE problem effectively. 


3.1 Circulant Matrix 


Circulant matrix is a kind of simple and beautiful special matrix in mathemat- 
ics, which has important applications in many fields of engineering technology. In 
Sect. 7.7 of “Modern Cryptography’, we explain and demonstrate the basic properties 
of circulant matrix in detail. See the monograph Zheng (2022) on circulant matrices 
for more details. 

Let T be a square matrix of order n, 


(3.1.1) 


where J,,_; is the n — 1 dimensional unit matrix. Obviously, we can define a linear 
transformation x + Tx, x € R" of R" > R" by T. The characteristic polynomial 
of T is f(x) =x" —1,s0 T” = I. We use column notation for vectors in R”, and 
{eo, €1,..-, @n—1} is the standard basis of R”, i.e. 
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1 0 0 
0 1 0 
eo=|9J,a=]9],...,e4= ]:]. (3.1.2) 
0 0 1 


Denote e,, as ex, if m = k (modn), and0 < k <n —1, it is easy to see 


Tex = x41, and T* (ey) =e, OS k<n-1. (3.1.3) 
ao 
Definition 3.1.1 Let a = : € R", the circulant matrix T*(@) generated by 
An—1 
a is defined by 
T*(a) =[a, Ta,..., TT" @]Jnxn € R"™". (3.1.4) 


It is easy to verify that the circulant matrix B generated by the linear combination 
vector is the linear combination of the corresponding circulant matrices, i.e. 


T*(aa + bB) = aT* (a) + bT*(B). (3.1.5) 
ao 

Specially, for any a = : € R", the circulant matrix T*(a@) generated by a 
Qn-1 


could be written as 


n—-1 n—-1 
T*(a) = T* (x asi =) aiT* (ei), (3.1.6) 
i=0 i=0 
therefore, any circulant matrix is the linear combination of circulant matrices gener- 
ated by the standard basis vectors e;. It is easy to verify that 
T*(e.) =T*, 0O<k<n-1. (3.1.7) 
In particular, the unit matrix J, is a circulant matrix generated by the vector eg. The 


basis properties about the circulant matrix are summarized in the following lemma, 
and the corresponding proofs could be found in Sect. 7.7 in Zheng (2022). 


alo Bo 


1 
Lemma 3.1.1 Leta = : ,p= : be two vectors in R", then we have 


Qn-1 Bn—1 
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(i) T*(@) =agl, +ayT +--+ + oe ae 
(ii) T*(a)- T*(B) = T*(B) - T*@). 
(iii) T*(a)-T*(B) = T*(T*(@)B). 
(iv) det(T*(a)) = TT" a(wi), where w; is the n-th unit root. 
(v) T*(q@) is an invertible matrix if and only if the characteristic polynomial a(x) = 
Oy Fax +++ + ay—1x"! 
(a(x), x" -1=1. 


corresponding to a and x" — 1 are coprime, i.e. 


We take the characteristic polynomial x” — | as modulo and construct the one-to- 
one correspondence between polynomial quotient rings and n dimensional vectors, 
which is called the geometric theory of polynomial rings. We consider the following 
three polynomial quotient rings. Let R[x], Z[x] and Z,[x] be the polynomial rings 
of one variable on R, Z and Z, respectively, defined by 


n—-l 
R=R[x]/ <x" -1>= [Sania eR}, (3.1.8) 

i=0 

n—l 
R=Z[x]/ <x"-1>= [Sariaen} (3.1.9) 

i=0 

and 
Ry = Zylx)/ < x" -1>= [Sa Joe24} (3.1.10) 

i=0 


In fact, the right hand side of the above formula is a set of representative elements 
of the polynomial quotient ring. 

For any a(x) = @ + ax +--+» +a,_,;x"~! € R, we construct the following cor- 
respondence 


a(x) =ao Fayx tes +a, x" 1! E Roa= . ER”, @G.1.11) 


Qn-1 


written as a(x) <—> a ora <— a(x). Then (3.1.11) gives a one-to-one correspon- 
dence between R and R”. In the same way, w(x) <—> a also gives the one-to-one 
correspondences of R — Z” and R, — Zj. It is not hard to see that the above 
correspondence is an Abel group isomorphism. To establish ring isomorphism, we 
introduce the concept of convolution multiplication of vectors. 


Definition 3.1.2 For any two vectors a, 6 in R”, Z” or Zi we define the convolution 
a @ B by 
a@®p=T*(a)-B. (3.1.12) 
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Under the above definition, R”, Z” and Zi become a commutative ring with unit 
element, respectively. Obviously, the convolution defined by (3.1.12) is closed on Z” 
or Zi: Ifa € Z”, then T*(a@) € Z"*", thus, a ® B = T*(a)B € Z", so is Zi: Based 
on the property (iii) of lemma 3.1.1, 


T*(a @ B) = T*(T*(@)B) = T*(@)T*(B) = T*(B)T*(@) = T*(B @ a), 
so we have a ® 6 = 8 ® a. On the other hand, 
(Qa+a)@B=T*at+a')B=T*(a)B+T*@')p=a@ Bp +a’ @ B, 
hence, R”, Z” and Zi are commutative rings with the same unit element eg. Since 
T*(€) = I, then 
0 @B=T*(eo)B = InB = B. 


Lemma 3.1.2 Suppose R, R and R, are defined by (3.1.8), (3.1.9) and (3.1.10), 
then we have the following three ring isomorphisms: 


RR’, R=Z and R, = Zi. 
Proof We only prove R = R’, the other two conclusions could be proved in the 
same way. Va(x) € R, a(x) <— a € R” is a one-to-one correspondence and an 
Abel group isomorphism. We are to prove 
a(x) B(x) <> a @ B, Va(x), B(x) € R. (3.1.13) 
Let B(x) = Bo + Bix + +++ + Bn—1x""!, then 


xB(x) = Box + Bix? +-++ + Ba—2x" | + Bn—1x” 
= Bn-1 + Box Se er ae 


so xB (x) <— TB. For all k,0 < k <n— 1, we know 
x" B(x) <> T*£. 
Let a(x) = a + ajx +--+» +a,_;x"!, it follows that 


n—-1 n—-1 


on(x) B(x) = D> agx* B(x) > D7 ay T*B = T*(a)B = 0 @ B. 


k=0 k=0 


Therefore, we prove that R = R”. Similarly, we have R = Z” and R, = Zi: 


Since R” is Euclidean space, the Euclidean distances in Z" and Z{ could also be 
defined as the Euclidean distance in R”, which is called the embedding of Euclidean 
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distance in Z” and Zi: By Lemma 3.1.2, we treat R,R, R, and R", Z", Zi as the same 
and write R = R", R= Z", R, = Zj,. Therefore, the polynomial rings R, Rand R, 
also have Euclidean distance, which constructs the geometry of the polynomial ring. 
For any polynomial a(x) € R, we define 

ja(x)| = ja|, ifa(x) a. (3.1.14) 
Lemma 3.1.3 For any a(x), B(x) € R (or R, R,), we have 

lo(x)B(x)| < Vnla(x)| - |B(x)I.- 


Proof To prove this lemma, we only prove that for any a, 6 € R” (the same as Z” 
or Zi)» we have 


la @ B| < Vala] - |Bl. (3.1.15) 
By Definition 3.1.2, 
by 
by 
a @B=T*(a)B =[a,Ta,...,T” 'a]pB =|. | eR’. 
Dn 


Let @ be the conjugation vector of a, i.e. 


a Qn-1 
Qa) -_ An-2 
a= >a= ‘ 
On-1 ao 


then, the circulant matrix T*(a) generated by @ can be divided into rows 


ae ke 

a’ (TT?) 

T*(a) = ; ; 
al (Try 

where T7 is the transposed matrix of T. So bi = @ (T7)'B (1 <i <n) and we get 


Ibi| <|a|- |B], Leica, 
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It follows that 


Nie 


ja@ Bl = (>>») < Vnla| - |B. 


We complete the proof. 


Finally we discuss the relation between circulant matrix and lattice. Let B € IR’*” 
be a square matrix of order n, the lattice L(B) C R” generated by B is defined by 


L(B) = {Bx |x €Z"}. 


If B is an invertible matrix, then L(B) is called an n dimensional full rank lattice. 


Definition 3.1.3 Let L(B) C R" bea lattice, we call L(B) acyclic lattice, if L(B) is 
closed under the linear transformation T, i.e. for any a € L(B) wehave Ta € L(B). 
If L(B) C Z" is acyclic lattice, then L(B) is called a cyclic integer lattice. 


Lemma 3.1.4 Let a € R", then the lattice L(T*(a)) generated by the circulant 
matrix T* (a) is a cyclic lattice, which is the smallest cyclic lattice containing a. 


Proof Based on the definition T*(@) = [a, Ta, ..., T”~'a], we get 


n-1 
L(T*(a)) = [Sat fae | 


i=0 
For any B € L(T*(@)), 


n—-1 
B=) UbiT'a => TB € L(T*(a)), bj € Z, 
i=0 


so L(T*(a)) is acyclic lattice. Assume L is acyclic lattice containing a, sincea € L, 
TaeéL,...,T"'a € L, then any linear combination of integer coefficients 


n—-1 
Yo aiTia eL>L(T*(a)) CL. 
i=0 


This means that L(7*(a@)) is the smallest cyclic lattice containing a. 


Lemma 3.1.5 Let L(B) C R” be acyclic lattice, a € L(B) be a lattice vector, then 
there is an integer matrix D € Z"*" such that 


T*(a) = BD. (3.1.16) 


Proof Since a € L(B), L(B) is acyclic lattice, then Ta € L(B), T’a € L(B),..., 
T’'aw € L(B). Let(O<k <n—-1) 


3.1 Circulant Matrix 59 
T*a = Bdy, dy € Z", D = (do, di,..-4dn-t)nxn € Z"™", 
the circulant matrix T*(@) generated by a could be written as 


T*(a) =[a, Ta,...,T" 'a] = [Bdo, Bd), ..., Bd,_|] = BD. 


Lemma 3.1.5 holds. 


Let L C R" be a lattice, for any x € R", there exists u, € L > 


Ix—u,]= min ja—x|=|x—Ll. (3.1.17) 
acl asx 


ux is called the nearest lattice vector of x. We define the covering radius p(L) of L 
by 
p(L) = max |x — u,| = max |x — L|. (3.1.18) 
xeR" xeR" 


Obviously, the covering radius p(L) satisfies that any sphere N(x, o(L)) with 
radius p(L) contains at least one lattice vector. If L; C L is a sublattice, then for any 
x eR’, 

|x — L| < |x — Li| = pe(L) < p(L)). (3.1.19) 


If L = L(B), we write o(L) = p(B). The final goal of this section is to prove 
the existence of the covering radius and give an upper bound estimate of o(L) using 
Babai’s nearest plane algorithm. 

Let L = L(B), S = {51, 52,...,8,} C L be n linearly independent lattice vec- 


tors. S* = {s}, sj, ..., 57} 1s the orthogonal basis corresponding to S by the Gram- 


ee) 


Schmidt method. We define 


a(S) = (>: ir) (3.1.20) 
i=l 


Lemma 3.1.6 (Babai) Let L = L(B) C R" be a full rank lattice, S C L be the set 
of n linearly independent lattice vectors, then for any t € R", there exists a lattice 
vecorweL> 


1 
It — wl < 50(S). (3.1.21) 


Specially, the covering radius p(L) of L exists and satisfies p(L) < $0 (S). 


Proof Without loss of generality, we only prove for the case $ = B. Since L(S) C 
L(B) is a full rank sublattice, by (3.1.21) w € L(S) > w € L(B) and p(L) < 
p(S) < 50 (S). Let B = [f1, B2,..., Bn], the corresponding orthogonal basis is 
B* = [By, B5,..., B=]. Babai’s algorithm is based on the following two techniques: 
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(1) Rounding off (see Theorem 7 of Chap. 7 in Zheng (2022)) 


Vx € R", let x = )~"_, x;*, where x; € R. Define 4; € Z is the nearest integer of 
Xx;, and 


n n 1 1 
[xla = D587, tds =) arbi, —5 <a: < 5,1 <i <a. 
i=1 i=1 


It is easy to see x = [x]g + {x}g, where [x]g € L is a lattice vector. 
(2) Nearest plane 
Let U = L(B), B2,.--, Bra—1) C R" be ann — | dimensional subspace, 


n—-1 
L'= > ZB; C L isa sublattice of L. 


i=l 


After x € R” is given, let v € L, such that U + v is the nearest plane of x. Let x’ 
be the orthographic projection of x in U + v, y € L’ be the nearest lattice vector of 
x — Uv, w = y+ v bean approximation of the nearest lattice vector of x in L. Based 
on the above definitions, we can prove that (see (7.82) of Chap. 7 in Zheng (2022)) 


U= L(pi, Bo, Soe Pn) = L(fy, 3, 905 Bal 


v = bn Bn € L 
n—1 

x! = D1 xiBF + 8, Br (3.1.22) 
i=l 

y is the nearest lattice vector of x — v in L’ 

w=ytvel 


Since v = 6,Bn, x’ = 2") x: B* + bn Be, 
/ * 1 * 
poo), = s lb S 5 |Brl- 


The distance between any two planes in {U + z | z € L} is at least |B*|, and |x — x’ 
is the distance of x from the nearest plane, so we have 


|x —x’] < |x — uy. 
Letw =y+v=yt+6,B, € L, we are to prove 
[x — w|? = |x —x'P + |x’ — w/?. (3.1.23) 
This is because 


xX — x! = (X%, — 5,) BF, x’ —w=x’-v—ye, 
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therefore, 
(x —x’)L@’—w), 


and (3.1.23) holds. Based on the assumption: 


(Bi? +--+ + 1B_/). 


1 
|x’ — w|? =< 4 


It follows that 
1 1 . 
x — wh? < FUBEP + 1B? + IBS) = (57) 
Let x = t € R”, we get w € L such that 


1 
lt-—wl< gee 


This lemma holds. 


The calculation of the covering radius on lattice is also a kind of hard problem. 
We define the covering radius problem (CDP,,) based on parameter approximation. 


Definition 3.1.4 (CDP,,) Let L be a full rank lattice, y(n) be a parameter, CDP, 
problem is to find an r such that 


P(L) <r <y(njp(L). (3.1.24) 


3.2 SIS and Knapsack Problem on Ring 


Let q be a positive integer, Z, be the residue class ring mod q, and Z,[x] be the 
polynomial ring of one variable on Z,. By (3.1.10), we define a quotient ring R, on 
Z4q [x] 

Ry = Zglx]/ < x" —1 >= (Zi, +, ®). (3.2.1) 


To define the SIS problem on R,, for any m polynomials A = {a)(x),...,@m(x)} C 
R,, A could be regarded as an m dimensional vector in Rj, i.e. A = (a, (x),..., 
Am(X)) € Kes with the norm |A| defined by 


1 


= (x 1) (3.2.2) 
i=1 


Nie 


|A| = (> jo) 
i=1 


where a;(x) <—> aj € La, 
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Definition 3.2.1 Let 6 > 0 be a positive real number, n,m,q be positive inte- 
gers. The SIS problem on R, is defined as follows: for any given uniformly 
distributed vector A = (a)(x),...,@m(X)) € Ros find an m dimensional vector 
Z = (z1(X), Z2(X),..-, Zm(X)) € a such that 


fal) = Dailxer(x) =0 
ae . (3.2.3) 
0 < |z| = (= oP) <p 


i= 


This problem is denoted as R, — SISg/g.m. 


Remark 3.2.1 By the above definition, f4(z) € R,, so f4(z) = 0 is equivalent to 


fa = Yai (x)zi(x) = 0 (mod x” — 1), 


i=1 


here 0 < |z| < f is computed in the real number field R. 


Remark 3.2.2 In order to guarantee the R, — SIS,,g,m problem has solution, we 
only need m > logyg, which has big difference from the requirement m > nlogg 
of the classical SIS problem (see Sect.2.2 in the last chapter). In fact, if A = 
(a, (x), d2(X),...,@m(X)) is given, the selection of z = (z1(X),..., Zm(x)) could 
be considered in Zi. For each z;(x) <—> z € Zia choose each coordinate of z; as 
0 or 1 so that the n dimensional vector z; has a short length. There are about 2” 
such short vectors z;, so there are about 2”” choices of z in total. If 2”” > q”, Le. 
mn > nlogsg,m > logog, then z’ € RY’, z" € R? => 


faz’) = fae") => fa’ — 2") = 0. 
So z = z’ — 2” is the solution satisfying (3.2.3). 
Geometric definition of R, — SIS, 4m: 


Given m vectors A = (a), d2,..., Gm) uniformly distributed on Li aj € Li solve a 
group of nonzero short vectors z = (21, Z2,---; Zm)s Zi € Eas such that 


fale) = Da; ®zj =0 


= (3.2.4) 
gaign, la can 


Obviously, R, — SIS problem is a special case of the knapsack problem on ring. 
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Definition 3.2.2. (Knapsack problem on ring) Let R be a commutative ring with 
identity, a), ...,@» be m nonzero elements in R, X C R, |X| = 2”,b € R is called 
the target element. Knapsack problem on ring is to solve m elements Z1, Z2,..-, Zm € 
X in X such that 


fa(2) =) ajz; = b, Vz; € X. (3.2.5) 


i=1 


If R = Z is a ring of integers, X = {0, 1}, or X = {0, 1,..., 2” — 1}, then the 
above problem is the classical knapsack problem. It has been proved that the com- 
putational complexity of solving the knapsack problem on Z is subexponential, such 
as the super increasing sequence is polynomial. If R = R,, b = 0, then the above 
problem becomes the SIS problem on R,. The main result in this section is the fol- 
lowing theorem: 


Theorem 3.2.1 Let m = O(logn), k = O(log n)qZ Amkn?, and y > 16mkn?, 
if we can solve the knapsack problem (3.2.6) on Rg, then there exists a probabilistic 
polynomial algorithm solving the covering radius problem CDP,, for any n dimen- 
sional full rank cyclic lattice. 


The knapsack problem on R, in Theorem 3.2.1 is the more general case of (3.2.4), 
which is summarized in the following definition. 

Knapsack problem on R,: Choose m vectors A = (a, a2, ..., Gm) uniformly 
distributed on Z/ randomly and any target vector b € Z/, find a set of short vectors 
Z = (Z1, Z2,-++ 5 Zm) Such that 


m 


fa) =) a, ®z =b, |zil< Yn, 1<i<m. (3.2.6) 


i=1 


From Theorem 3.2.1, the knapsack problem on R, on the average case has a more 
difficult computational complexity than the covering radius problem on any full rank 
cyclic lattice under positive probability, which is another reduction principle from 
the worst case to the average case by Ajtai. 

The core idea of the proof of Theorem 3.2.1 is to approximate the covering radius 
p(L) of L by 50 (S) for any cyclic lattice L = L(B) C R" under the assumption that 
(3.2.6) is solvable, where S = {51, 52,..., 5,} C Lis aset of n linearly independent 


vectors, and 
1 


o(S) = (»: 3 , 


i=l 


{s{, s3,...,5*} is the corresponding orthogonal basis of S using Gram-Schmidt 
algorithm. Since |s**| < |s;| (1 <i <n), we have 
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1 1 


a(S) = bs sr) < (Ser) (3.2.7) 


i=1 i=1 


By Lemma 3.1.6, p(L) < $0(S). The core steps of approximating p(L) by +0 (S) 
is summarized as follows. 


(1) Reduced algorithm 
Randomly choose S$ = {s1, 52,..., 5,} C L is a set of n linearly independent lattice 
vectors, assume that 
[S| = [sn] = max |si|. 
l<i<n 


If $a(S) < ye(L), then the CDP, problem on L is solved. If a(S) > 2yp(L), we 
can find a lattice vector s’ € L, such that 


Is] < ISn| | S| 
Ss =|sn| = =I|SI, 
ie 2 n 2 
and s;, 2, ...,S,—1, 5’ are linearly independent. Replace S with the new set of vectors 
S’ = {51, 82,..., 8,1, 5’}, that is, replace s, with s’ in S. Repeat this process n times 
and we can get 
1 
IS | < 5/SI- (3.2.8) 


Repeat the above reduced algorithm, and find a set of linearly independent vectors 
S Cc L, such that 

2y 
Jn 


and the computational complexity of the algorithm is polynomial. Based on (3.2.9), 
we have 
Jn 


1 n 
p(L)< 57) < a Sl < yp(L). 


[S| < p(L), (3.2.9) 


So we complete solving the CDP, problem. 


(2) Approximation of standard orthogonal basis 
Let {e9, €1,..., €n—1} C Zi be a standard orthogonal basis, L = L(B) C R” be a 
given cyclic lattice. Define the parameter 


4 
c= (“4 + *) a(S), (3.2.10) 
y 2 
where S = {51,52,...,S,} C Lisa set of n linearly independent vectors, such that 


a(S) > 2yp(L). (33,11) 
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To find s’ in the reduced algorithm, by Lemma 3.1.6, there is a lattice vectorc € L > 
1 
lc — Beol < 57 (8). (3.2.12) 
Since T is an orthogonal matrix, it is an orthogonal linear transformation in R”, i.e. 
|Ta| = ja|, Va € R”. 


Therefore, foranyO <k<n-—1, 
k 1 
|T"(c — Beo)| = |e — Beo| < sre) 


Note that T*ep = e;, so 


1 
IT*c — Bex| < 50(5). 


Because c € L and L is a cyclic lattice, then Tkc EL (O<k <n-—V). The circu- 
lant matrix T*(c) = [c, Tc,..., T*~!c] implements the approximation of standard 
orthogonal basis. 

In order to give a complete proof of theorem 3.2.1, we denote 


B' = q(T*(c))'B. (3.2.13) 


Lemma 3.2.1 The lattice L(B') generated by B' satisfies qZ" C L(B’). 


Proof By Lemma 3.1.5, since c € L and L is acyclic lattice, there exists an integer 
matrix D € Z”*" such that 


T*(c) =BD= B'T*(d) €Z"™, 


thus, 
B'(B'T*(c)) = q(T*(c)) | - B- B'T*(c) = qh. 


Each column of the above matrix ge; (O<j<n-NDeEL(B)SqZ"c 
L(B’). 

Based on Lemma 3.2.1, qZ" is an additive subgroup in L(B’). Randomly choose 
mk vectors - eG(<i<m,1< j <4) inthe quotient group G = L(B’)/qZ", 
the integral vectors w, ; of x, ; 18 defined by 


1 


w;, =[x,]€ 2", l<i<m,1<j<k. 


Let , 
aj = Yo wij (mod q) => a; € Z", (3.2.14) 


j=l 
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A = (a), a2,...,@m) contains the above m vectors in Z”, consider the knapsack 
problem on R, = (Zi, +, ®), 


m 


fa) = >a; @ zi, Vzi € ZF, |zil < Vn. 


i=1 


If we can solve the knapsack problem on R,, then f4(z) collision is also solvable. 
So there are integral vectors y = (y), y2,--- Yn)> ¥ = (V1, 92, -++5 Ym) Such that 


m 


fay — 3) = 0a ® OF - Fi) =O, Vii < Va, Sil < Va, (3.2.15) 


i=1 


where 
YS 1p ari Pals VS On Pawns In)> (3.2.16) 


Based on the vector clusters y and f in Zi we define 


ea llc and w;; = tT*(c)w,; 
k 
c= Le ij — wij) ® (vi — Ji) 


i=1 j=1 


(32.17) 


The s’ defined by the above formula is just the s’ in the reduced algorithm. First, 
we prove the following lemma. 


Lemma 3.2.2 x;; € L(B) is a lattice vector in the given cyclic lattice L(1 <i < 
m,1 <j <k), andif fa(y) = faQ), 8’ € L(B) is also a lattice vector. 


Proof Since a € L(B’), there is a € Z" such that Xj = B’a, we get 
1 * / I * * -1 
ae Sead (c)-q(T*(c)) - Ba = Ba € L(B). 


To prove s’ € L(B), by (3.2.17) and the property of circulant matrix (see (3.1.5)) 


v= Es @ (vy — Sis) — > wiz @ (Vij — Sis) 


= Pano = Fis) — DOT wi) Oi; — Ji) (3.2.18) 
m k 7 


m k 
= VO api - I) -— ITO) wi): — 5d. 
i=l j=l i=l j=l 
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Based on the first conclusion, x;; € L(B) > Yo xi; € L(B), since y; and 3; are 
integral vectors in Z”, it follows that 


k 
Yo xij (yi — 91) € ECB). 


Next we prove the second term of (3.2.18) is also a lattice vector. By the definition 
of Wij, 
k 


1 
wij = al (c)w;;, then So wij = -T* (c) My 


j=l j=l 


> 


Hence, 


> 


k 


abou = =<Tor" So wy 
j=l j=l 


The second term of (3.2.18) could be written as 


m 


ae y wisi — 51) = _T opr 2 wii — 3a) 
= -or" Bs 66 — $i). 


i=l j=l 


(3.2.19) 


Since 


m 


k 
Y 5 wiz @ Oi — 31) = D5 ai @ (Vi — Si) (mod g) = fay) — fa) (mod q), 


1 j=l i=l 


tee 


i 


by f4(y) = fa(3), we know the second term of (3.2.18) is in L(B), ie. 


m 


pale 3 wis (i — Si) € L(B). 


i=1 


Finally we have s’ € L(B) based on (3.2.18). 


Lemma 3.2.3 The lattice vector s' defined in (3.2.17) satisfies 


1 1 
: <a n= A : 2.2) 
Is'| 5/8 | 5ISI (3.2.20) 
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Proof We only prove |s’| < a (S)/2,/n, since 


1 
n 


o(S)< ay < VnlS| = Valsnl, 
i=l 
we can get |s’| < 5|Sn |, and the lemma is proved. Based on the definition of 5’, 
m k 
I< Oley — wi) ® OF - SII. (3.2.21) 


i=1 j=l 


It follows that 
iin i ; 1 , j 
Xij — Wij = —T"(C) Qj; — Wij) = —¢ @ yj — Wjy)- 
q q 
Let a = c — Beg, then |a| < $0 (S) (see (3.2.12)), and 
1 ' j 1_. : 
Xij — Wij = —(a + Beo) ® (Xj; = wi;) =-T"(a@+ Benj; _ w;;) 
q q 
Ps ee ee ey eee 
= —BT"(e0) (xj; — wij) + —T"(@)(;; — wi) 
q q 
_ Boo , | ' , 
= Fas ae ee (a) (aj; — W;;)- 


Since 


1 
< =Vn, 


' , 
|x ij 5) 


Ge 
combine with (3.1.15) in the last section, we have (6 is determined by (3.2.10)) 


B, , 1 , , 
|xij — wWijl < qt = w;/| + °° (Xj; = wi; ,)I 


B 1 1 Jn 1 
ge. 5 “¥n- 50(S) 
_B vm 1p oS) vn 

qd qd 2 2; 
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Based on (3.2.21), we get 


Is'| < mk/n max [Xjj — Wij sae lvi — Jil 


o(S) 
2Jn 


< mks/n - 2./n max |x;; — wij| < 
ij 


So we complete the proof of Lemma 3.2.3. 


From the above lemma, the reduced algorithm required in Theorem 3.2.1 is proved. 


However, we must prove that {a;}/1, C Zj determined by (3.2.14) is uniformly dis- 


tributed, so that the knapsack problem on R, is solved in the average case. Next we 
prove that {a;}/"_, is almost uniformly distributed in Z7, that is, the statistical distance 
between the distribution of {a;} and the uniform distribution is sufficiently small. We 
first prove the following lemma. 


Lemma 3.2.4 Let B' = q(T*(c))~'B, then the covering radius p(B’) of L(B') sat- 
isfies 


1 
B’ < Dok 
p(B) a 
where L(B) is a full rank cyclic lattice, c € L(B) is given by (3.2.12). 


Proof Based on the definition of covering radius, 
p(B’) = max |x — u,| = max |x — L(B’)|. 
xeR" xeR" 


Let ¢’ € R" be the vector achieving the maximum value above, i.e. |t/ — L(B’)| > 
p(B’), and 
It’ — B’z| > p(B), Vz eZ". 


Denote 
1 * f 
t= —-T*(c)t. 
q 


Suppose Bzy € L(B) is the nearest lattice vector of t, then we have 
p(B) 2 dist(t, L(B)) = |t — Bzol 


1 * Fd 1 * fs td 
= ma (c)t' — Bzo| = ra (c)(t — B'zo)| 


lc @d| (3.2.22) 
Id| 

lc @ d| 

min 

deR",d40|d| 


1 / iy s 
2 —|t — B’zo| min 


> —p(B’) 


q 
1 
q 
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For any d € R", d # 0, we estimate the value of c ® d. Since c = Beo + a, where 
la| < $0(S), so 
lc @d| = |(Ben+ a) @d| 


1 
2 |d|\(B — 500 (5) 
ae eels 
= \a\"4 (5): 


By (3.2.22), we have (see (3.2.11)) 


1 
p(B) 2 > <p(a) a(S) 


> ee 


This implies p(B’) < x. Lemma 3.2.4 holds. 


Lemma 3.2.5 Let A = L(B) be a lattice, Q C R" is convex and contains a ball 
with the radius r > p(A). Then the number of lattice vectors of L(B) contained in 


OQ satisfies 


Vol(Q) p(A)n Vol(Q) 2p(A)n 
rPTe Ws 7 Vs BINS Fy ). 


Proof See Lyubashevsky and Micciancio (2006) or Lyubashevsky (2010). 
Based on the above lemma, let A = L(B’), we estimate the distribution of vectors 
{a,j} in Dy: From the definition 


aij = w;; (mod q), a; = ay (mod q), (3.2.23) 
j=l 


where Wij . is the ee vector of fo /€ G = L(B’)/qZ". The ball taking Wij . as 
ve Senter with radius } 2 is contained in ‘the cube centered as w,, ; with the side jensth 
z+ Since p(L(B’)) < x <5, from lemma 3.2.4, the number WN of lattice vectors of 


LB ) in this cube satisfies 


1 1 1 1 
tas) 2 a2 ds), 
det(B’) 4 det(B’) 2 


is uniformly selected in L(B’)/qZ", there are 


, 
For any a € Ry = Zj, because x;; 


n 


q 


! nj—-l __ 
|L(B)/qZ"|~" = det(B) 
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possible choices, therefore, 


Pr{a;; = a} - —| < (3.2.24) 


2q"" 


Now we estimate the probability distribution of {a;}""_,. 


Lemma 3.2.6 Let G be afinite Abel group, A,, Az, ..., Ay be k independent random 
variables on G, such that for any element x € G, 


1 1 
PHA, =a) = =| Se 
|G| 2|G| 


Then the statistical distance between € = ee , Aj and the uniform distribution on 
G is 
AE, UG)) <2. 


Proof We use mathematical induction to prove that the following inequality holds 
for any positive integer k, 


Pr{é = x} xeEG. 


1 1 
< ’ v 
IG|| ~ 2*|G| 


Ifk = 1, the inequality above holds. Assume it holds fork — 1, denote &’ = ye Ai, 
& = &' + A,, we have 


1 ba ae ees 

Pag =x) - 2] = 2 Pelt =a, Ay = x —a} Tal 
= 2 = a}Pr{Ay = x —a} — a 
= (rte =a}— =) (Peta: =x-—a}— =) 

o IG| IG| 
1 1 1 
<L aeiay 2@] ~ aT 
Thus, 
A(é, U(G)) = 5s Pr{é = x} l |< ay. | = 2-k+1) 
, 2. IG|| ~ 2 —~ 2k|G| , 


xEeG xeEG 


This lemma holds. 
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From (3.2.23), (3.2.24) and Lemma 3.2.5, we know that each a; = 4 aij is 
almost uniformly distributed on Zi i.e. the statistical distance between a; and the 
uniform distribution is sufficiently small. Therefore, the knapsack problem on R, 
sampled by f4(z) is in the average case. So far, we have completed the proof of 
Theorem 3.2.1. 


3.3. LWE Problem 


The LWE problem is to solve a kind of random linear equations under a given 
probability distribution. To better understand the LWE problem, let’s start with the 
checking learning problem (LPE) with errors. Let Z. = {0, 1} be a finite field with 2 
elements,n > 1 ande > 0 bea given parameter. The distribution of € with parameter 
€ on Zp is 

Pr{é = 0} = 1—e, Pr{&é = lh =e. 


If a, b € Zp, the probability that a and b having the same parity is 1 — ¢, i.e. 
Pr{a = b (mod 2)} = 1 —e, 


denoted as a =, b. The checking learning problem with errors LPE is: given m 

independent vectors {a1, a2,..., dm}, a; € Z5 uniformly distributed on Z5, and b = 
by 

€ Zi, to solve a vector s € Z, such that the following m random congruence 


bm 
equations hold simultaneously 


b,j =.< aj,5 > (mod 2) 


by =,< do, 5 > (mod 2) 
: : (3.3.1) 


Dn =e< Am, 5 > (mod 2) 


where < a;,s > is the inner product of two vectors in Z5. If ¢ = 0, then the dis- 
tribution € becomes the trivial distribution, and (3.3.1) becomes m deterministic 
congruence equations. At this time, the LPE problem could be solved by Gauss 
elimination method with only n equations, and the computational complexity is a 
polynomial of n. If ¢ > 0, the LPE problem is nontrivial, and its computational 
complexity is exponential of n. For example, the likelihood algorithm requires O(n) 
random congruence equations with computational complexity 22). In 2003, Blum 
et al. (2003) proposed a subexponential algorithm whose computational complexity 
and the number of random congruence equations are both 22/8"), which is the 
best result of the LPE question so far. 
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Generalizing the LPE problem from mod 2 to the general case mod q, it becomes 
the LWE problem. Due to the important role of the LWE problem in modern anti- 
quantum computing cryptosystems, we will introduce the related concepts and results 
in detail in this section. First, we define the random congruence equation with error 
on the integer ring Z. Let n > 1, q > 2 be two positive integers, Z, be the residue 
class ring of mod q, and x be a probability distribution on Zg. 


Definition 3.3.1 Let a,b € Z, e € Zg, if 
Pr{a = b +e (mod qg)} = x(e), (3.3.2) 
we call a and b are congruential mod g under the distribution x, denoted as 
a=,b+e(modgq), ora =, b+e. (3.3.3) 


The above formula is called a random congruence equation with error under x, and 
it is abbreviated as a = b + e sometimes. 


Based on the above random congruence equation, we give the definition of the 
LWE distribution A, ,. 


Definition 3.3.2 Lets € Li x be a given distribution on Z,, the LWE distribution 

As, =(a,b)¢€ Zi x Zq generated by s and x satisfies: 

(1) ae Zi is uniformly distributed; 

(2) b=,<a,s > +e, where < a, s > is the inner product of a ands in Z,,e € Z, 
has the distribution x, i.e. e <— x. We call As, = (a,b) € Zi x Zq the LWE 
distribution, s is called the private key and e is called the error distribution. If 
b € Z, is uniformly distributed, then A, , is called the uniform LWE distribution. 


Under the LWE distribution A, , = (a,b) € Zi x Zq, for a given error e € Zy, 
the essence of finding the private key s = (51, 52,..., Sn)! € Zi is solving the random 
knapsack problem on the ring Zg: 


b = aj5, + A282 +--+ + aySn (mod g), 


solve s € Zi under the probability distribution x (e). Next, we give the definition of 
LWE problem LWE,,¢,,,m with the parameters n > 1,g > 2,m > 1 and x. 


Definition 3.3.3. For any m independent samples (a;, bj) € Zi x Zq A <i <m) 
e| 
of As_,, and randomly selected samples of the error distributione = | : |, e; € 


em 
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Ziq, €i <— X, the LWE,,4,4,m problem is to solve the private key s € Zi with high 
probability (larger than 1 — 6). In other words, solve s € Z7 satisfying 


by =,< 4,8 > +e, 
bo =< 4,5 > +e 


(3.3.4) 


bin =< an, 8 > +€m 


Remark 3.3.1 If x is the trivial distribution, i.e. x (0) = 1, x(k) = Oforl <k <q, 
0 


then the samples of x are e = | : |, (3.4) becomes m deterministic congruence 


0 
equations 
b, =< a,,5 > (mod q) 
by =< a),5 > (mod q) 


Din =S< an ? s> (mod q) 
Based on the Gauss elimination, we can calculate the only private key s € Z/ from 


n congruence equations, and the computational complexity is polynomial. 


Remark 3.3.2 Let g = 2, x be the two point distribution with parameter ¢ on Zp, 
then the LWE problem on Z, is just the LPE problem. For any error distribution 


e| 
e=| : |, ife; =1, from 
em 
Pr{b; =< a;,s > +1 (mod 2)} = ¢, 
we can get 


Pr{b; =< a;,s > (mod 2)}=1-e. 


Matrix representation of the LWE,,4,,, problem 


Let A = [aj, d2,...,Am|nxm € Le be arandom matrix uniformly distributed, b = 
by e 
by e2 
E Lins e=].]e LG be the errors, and e < x”, solve the private key 
Din em 


SE Zi such that 
b =, A's +e (mod q), (3.3.5) 


where A’ is the transpose matrix of A, and (3.3.5) is a set of random congruence 
equations with errors. The probability that the ith congruence equation holds is 
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Pr{b =, A’s +e (mod q)} = 72, x (ei) = x(e). (3.3.6) 


Let A, (A) and Az (A) be q ary integral lattices (see Sect. 7.3 of Chap. 7 in Zheng 
(2022)), defined by: 


| Aq(A) = {A'x | x € Z7} + qZr (3.3.7) 


AL(A) = {x € Z| Ax =0 (mod q)} ° 


Since A,(A) = qa; (A)*, A’s € A, (A), the geometric meaning of LWE,,4, ym is to 
solve a lattice vector A’s near from b for any b € Di such that the distance b — A’s 
has the distribution x”, which is dual to the SIS problem. 


Lemma 3.3.1 Suppose A € Z7*” is a random matrix uniformly distributed, A = 
[A,, Ao], where A, € a is an invertible matrix, let A = A;'A =([h, Ay Aol, 
then A, , and A, , have the same probability distribution. 


Proof From Lemma 2.1.1 in Chap. 2, if A is uniformly distributed, then A is also a 


1 e| 


uniform random matrix. Assume b = ,e= (: ) SE Zi satisfy 
2 


b =, A's +e (mod q), 
that is, 


by =, Ais +e1 (mod q) 
by =, A,s + e2 (mod q) * 


= _ (Ath \ ._ [Ate 
B= (Ain) @= (Aho : 


Obviously, b and b have the same probability distribution, so are @ and e, 


Let A* = (A,)~!, and 


b=, Aj (7) (mod q) =, Aj(A’s + e) (mod qg) 


=, AjA’s + Aje (mod gq) =, A’s + e (mod q). 


The lemma holds. 


The above A = [I;, Ay Aol is called the normal form of the LWE problem. 


Lemma 3.3.2 Let x, y, z be three random variables on Zg, x and y are independent, 
z=x+y (mod q). If x is uniformly distributed on Zz, so is z. 
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Proof For any integer 0 < i < q — 1, we compute the probability that z takes the 


value i. 
q-1 


Priz =i} =) Pr{x=j,y=i- J) 
j=0 
q-1 
=o Prix = sPriy =i-j} 
j=0 


1 


q-1 
=—) 0 Priy=i-jl= 
j=0 


1 
a2 ‘ 


q 


Lemma 3.3.3 In the LWE distribution As, = (a,b), b is uniformly distributed if 
and only if b— < a, s > is uniformly distributed. 


Proof If b— <a,s >isuniformly distributed, from b = (b— <a,s >)+ <a,s > 
and Lemma 3.3.2, we get b is uniform. On the other hand, if b is uniform, from b— < 
a,s >=b+(-— <a,s >) and Lemma 3.3.2 again, b— <a,5 > is also uniformly 
distributed. 


According to Definition 3.3.1, the above lemma gives an equivalent condition that 
A;,, is a uniform LWE distribution. An equivalent form of the LWE problem is the 
decision LWE problem, which we call the D-LWE problem. 


Definition 3.3.4 (D-LWE problem) Given a € Z; is uniformly distributed, s € Z7, 
e € Z, with the distribution x , decide whether < a, s > +e is uniform under positive 
probability of s. 

The D-LWE problem seems easy, however, the difficulty of it is equivalent to that 
of the LWE problem. We will prove this equivalence in detail in Sect.3.4. Here we 
focus on the probability distribution x of the LWE problem. Usually, x takes the 
discrete Gauss distribution on Z,. In Chapter 1, we discussed the discretization of 
continuous random variable with Gauss distribution in R” on lattice in detail. The 
discrete Gauss distribution on Z, is actually the discretization of Gauss distribution 
on Zg. 


Recall the definition of Gauss function p,(x) in Chap. | (see (3.2.1), 
ps(x) =e BP x ER", (3.3.8) 
Ifn = 1, p,(x) is a density function of continuous random variable on R. We convert 


the corresponding random variable of p;(x) to mod 1, which becomes a continuous 
random variable defined on T = [0, 1) (mod 1) of length 1, with the density function 
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+00 
ene ee 
Vax = > a POW yeT. (3.3.9) 


k=—00 


It is easy to see that 


1 
1 
| vocoas = [ vecoas = | jontnas = 1. 
T 0 R 


In order to estimate the statistical distance between random variables defined by 
different 6, we first prove the following two lemmas. 


Lemma 3.3.4 Let t and I be positive real numbers, x, y € R" satisfy 
Ix] <t, and|x —y| <1. 


Then 
I 2 
p(y) > (1 ~ S20 +1 )) p(x). (3.3.10) 


Proof For any z € R, we have 
e*>1-z,zeER. 


Therefore, 


~ZIy/2 ake ee 
Ps(y) =e abd >e 3 (x|+ly—x1) 


on 2llxP +2?) 


W 


ew 2 aP +247) 


W 


> (1 — SQ +P))p,(x). 
AY 


Lemma 3.3.5 Let 0 <a < B < 2a, then the statistical distance between W, and 
We satisfies 


=i (3.3.11) 


R 1d 


9 
A(Was Wp) 5! 
Proof Based on 


1 
| vocoar = 1. 
0 


it follows that 
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1 
/ ne ales 
0 


dx 
k=—0o 
1 
+00 
1 _2)y_42 1 _ xy 2 
_~ [|e pl pine dx 
a 
k=-0C0 6 
+00 
1 _z 2 1 yy j2 
a —¢ FH ZANT dy, 
B a 


Let x = ay, we get 


+00 


1 
| a(x) — Walx)ldx < / oe wire ttl dy, (3.3.12) 
0 —oo 


Without loss of generality, assume a = 1, 8 = 1+ ¢, whereO < € < 1, we estimate 
the right hand of (3.3.12) 


-|2 1 ——2_ |x|? 
i ell — — -e avez 
l+e 
R 


2 ——2 |x)? 1 ——_* |x /2 
< ehh _ eae jax + f 1— earl dy 
<| ( eee 

R 


dx 


=n |x|? 


-——45 |x? 
e —e tHe) dx +e 


m(1 


1 )x? a2 
l-e (+e)? -e d+?" dx te, 


R 
R 
R 

For Vz > 0, we have 


and 1 
1 2 
oo ee | Sal = 
(l+e)? 


= ame + &7)x? < Qn ex?. 
E 
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Finally, 


1 
/ [Wa(x) — p(a)|dx < ane f x26" dx +e=ete(lte) <9. 
0 R 


Since e = & — 1, based on (3.3.12), 


— 1). 


R 1d 


i 9 
A(Wa, Wp) = Al IWa(x) — Wp(x)idx < 5! 


We complete the proof of this lemma. 


In order to obtain the discrete Gauss distribution on Z,, we construct a discrete 
processing technique for continuous random variables. Let T be any interval with 
length 1 on R, denoted as 

T = (0, 1) (mod 1). 


If p(x) is the density function of a continuous random variable g on T, we define 
a discrete random variable @ on Z, by 


G= lael. (3.3.13) 


that is, if g takes a value x € T, then @ takes the value [gx] mod q, where [x] 
is the closest integer to x. When x runs over [0, 1), obviously |gx] runs over Z,, 
so @ defined in (3.3.13) is indeed a discrete random variable on Z,. We call @ the 
discretization of @. 


Lemma 3.3.6 /f ¢ is a continuous random variable on T with the density function 
y(x), then @ is a discrete random variable on Zg, and its probability distribution 


Q(k) is 
(k+3)/4 


Prig=k} = G(k) = / g(x)dx, kK EZ. 
(k—-5)/q 
Proof 
1 1 


(k+35)/4 


= P. k : < k : = d. 
= r{( -5)ia<e<( +5) /4} = J p(x)dx. 


(k—4)/q 
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Definition 3.3.5 The discrete Gauss distribution Ve on Zz, is defined by 


(k+5)/q 
V p(k) = / Wp (x)dx, (3.3.14) 


(k—5)/4 


where g(x) is the continuous Gauss distribution on T in (3.3.9) and £ is called the 
parameter of discrete Gauss distribution. 


In the LWE problem, usually we suppose x = Ve is a discrete Gauss distribution. 
The main result in this chapter is the following theorem. 


Theorem 3.3.1 Let m = Poly(n), q < 2°"™, x = Wy be the discrete Gauss dis- 
tribution with parameter a, where 0 < a < 1, andagq > 2./n. Then the difficulty of 
solving the D-LWEy q,x,m problem is at least as hard as that of GapSVP,, or SIVP, 
problem on any n dimensional full rank lattice L based on quantum algorithm, where 
y = O(3). 

The proof of Theorem 3.3.1 will be given in the next section. Here we only introduce 
the idea of this proof. The proof of Theorem 3.3.1 is mainly divided into the following 
two steps: 


(1) Using the quantum reduction algorithm to prove that the LWE)4,x,m problem 
is as least as hard as difficult problems on any lattice such as the GapSVP and 
SIVP problems. 

Prove the difficulty of the D-LWE,, q,y,m problem is not lower than that of the 
LWE),g,x,m problem (see Theorem 3.4.1 in the next section). The original proof 
the Theorem 3.4.1 is based on the modulus q being a prime number, such as 
q = 2. Later it is generalized to the general case q = 2°") (see Regev (2009) 
and Peikert (2009)), and the proof of Theorem 3.3.1 is complete. 


(2 


YS 


3.4 Proof of the Main Theorem 


In this section, we mainly prove that the difficulty of solving D-LWE problem is not 
lower than that of the hard problem on lattice, that is, if there is a quantum algorithm 
for solving the D-LWE problem, then there exists a quantum algorithm to solve the 
hard problem on lattice. The whole proof could be divided into three parts. In order 
to better understand the three parts of proof, we first introduce the definition of the 
DGS problem. 
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= aa lemma 4.5 
’ | lemma 44 J to 
LWE toDGS — 
Hlemma4,3 l 3 =! 
4 14 ; lemma 4.1 2 
jlernma ™ |iemma 4,13 
theorem 2 \lemma4., 1 5 
\lemma4, 1 7 rm 
‘lemma4.1 6 
DGStoGIVP = 
| theorem 3 
D-LWE to LWE 


Fig. 3.1 The flowchart of the proof of Theorem 3.3.1 


Definition 3.4.1 DGS,: given an n dimensional lattice L with generated matrix B, 
a real number r > $(B), where ¢ is a real function of B. The goal is to output a 
sample from the discrete Gauss distribution Dy. 


The DGS problem is also called the discrete Gauss sampling problem. We will 
see that the difficulty of the DGS problem is polynomial equivalent to that of the hard 
problem on lattice after this proof. Next we introduce the idea of proving that the 
D-LWE problem is at least as difficult as the hard problem on lattice. This proof could 
be divided into three parts, which are given in Sects. 3.4.1, 3.4.2 and 3.4.3. In Sect. 
3.4.1, we prove that if there is a quantum algorithm to solve the LWE problem, then 
there is also a quantum algorithm to solve the DGS J, (7) problem. In Sect. 3.4.2, 
we give a reduction algorithm from the GIVP 4 problem to the DGSg problem, 
so that we have completed the proof that the LWE problem is not less difficult than 
the hard problem on lattice. In Sect. 3.4.3, we further prove that the D-LWE problem 
D-LWEn.g,x,m can be reduced to the LWE,, 4, ,,m problem and complete the proof of 
Theorem 3.3.1. The flowchart of the whole proof is shown in Fig. 3.1. 


3.4.1 From LWE to DGS 


In this subsection, we will solve the DGS 7, (7)/q problem by the algorithm of 
LWE),¢,u,,m problem. The main conclusion is the following Lemma 3.4.1 , and its 
proof depends on Lemmas 3.4.2 and 3.4.3. We give these three lemmas first. 
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Lemma 3.4.1 Let m = Poly(n), ¢ = e(n) be a negligible function of n, q = q(n) 
be a positive integer, a = a(n) € (0, 1), ag > 2./n, x = Wa. Assume that we have 
an algorithm W that solves the LWE,,4,v,,,m problem given a polynomial number 
of samples, then there exists an efficient quantum algorithm for the DGS jin. (1) ja 
problem. 


Lemma 3.4.2 For any n dimensional lattice L and a real number r > 2?"1,(L), 
there exists an efficient algorithm that outputs a sample from a distribution that is 
within statistical distance 2-2 of the discrete Gauss distribution Dy, where Q(n) 
is a polynomial function or exponential function of n. 


Lemma 3.4.3. Let m = Poly(n), ¢ = €(n) be anegligible function of n, q = q(n) > 
2 be a positive integer, a = a(n) € (0, 1). Assume that we have an algorithm W 
that solves the LWE;,q,y,,,m problem given a polynomial number of samples, then 
there exists a constant c > 0 and an efficient quantum algorithm that, given any 
n dimensional lattice L, a real number r > V2qn¢(L) and n° samples from DL, 
outputs a sample from Dy, jj(aq)- 


Proof of Lemma 3.4.1: Given an n dimensional lattice L and a real number r > 
V2nn-(L)/a, our goal is to output a sample from the discrete Gauss distribution 
D_,,. The idea of this proof is to use iteration steps. Let 


n=req/ Jn), 02 1,2,...53n. 
Based on Lemma 1.3.6 in Chap. 1, 


In 1/e A,(L) 


1s n 


13, > "4 > 23"/2nn(L)/a > 2°" 2n IL), 

By Lemma 3.4.2, we can produce samples from the discrete Gauss distribution Dz ,,, . 
Suppose c is the constant from Lemma 3.4.3, we output n° samples from Dy ,,,. 
According to Lemma 3.4.3, we can get samples from the distribution Dz... i/(aq)> 
i.e. Dz,,,_,- Repeat this process, since 


ry =rag/Jn > V2nne(L)/a-aq//n = V2qne(L), 


which satisfies the condition of Lemma 3.4.3, finally we can output a sample from 
Dy», fnj(aq) = Dx.r- The lemma holds. 


Proof of Lemma 3.4.2: By the LLL algorithm (Lenstra et al. (1982)), we can choose 
the generated matrix B = [b), bo,..., b,] of L satisfying bj < 2”2,(L), 1 <i <n. 
Suppose F'(B) is the basic neighborhood of lattice L. The algorithm in Lemma 3.4.2 
can be achieved by the following steps. First we generate a sample y from the discrete 
Gauss distribution D,, where 


r(x) 


rn 


D,(x) = , Vx ER". 
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We get y’ = y mod L € F(B), andx = y— y’ € L. Denote the distribution of x as 
&, next we prove the statistical distance between € and D ,, is exponentially small. 
Note that 


ly'| < diam(F(B)) <)> [b;| < n2"A,(L), 
i=1 


where 
diam(F(B)) = max{|u — v| | u,v € F(B)}. 


Based on Lemma 1.3.4 in Chap. 1, 
p(L\JarN) < (rv 2xee*")"p(L), 


here N is the unit ball. This means p(L\./nrN) is exponentially small, so we can 
always assume x < ./nr. By Lemma 3.3.4, let t = ./nr, 1] = n2"A,(L), by some 
simple calculations we get 


Pr{é = x) = / D, (y)dy > | (1 — 2-2), (dy 
x+F(B) x+F(B) 
= (1 — 2-2) D, (x) det(L). 


On the other hand, from Lemma 1.3.2 in Chap. 1, 


r(x) _ Pr (x) S r(x) 


Pr{Di, =x} = = < 
pPr(L) — det(L*)r"p1/,(L*) ~ det(L*)r" 


= D,(x)det(L). 


So we have 
Pr(é =x} > (1 = 2-°™)Pr{ DD; = 2}. 


Summing x € L on both sides, we get the statistical distance between € and Dy, , is 
exponentially small. The lemma holds. 


Definition 3.4.2 (1) CVP; 4: given ann dimensional lattice L,atarget vectort € R”, 
areal number d, dist(t, L) < d, find u € L such that 


ju—t|= min |x—-tl. 
xeEL,|x—t|<d 


(2) cve”;: given an n dimensional lattice L with generated matrix B, a tar- 


get vector f € R”, a real number d, dist(t, L) < d, denote K;(t) = {ue L | |u— 
t| = min|x —t|}, i.e. Kz(f) is the closest vector to f in the lattice L, output 
rel 


-1 , n 
BK, (t) mod q € Z/. 
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The CVP problem is also called the closest vector problem. In order to prove 
Lemma 3.4.3, we need the following two lemmas, Lemmas 3.4.4 and 3.4.14. In 
Lemma 3.4.4, we use the samples of Dz, to solve the CVP;« 44/3) problem, and 
Lemma 3.4.14 shows that we can generate a sample of D,_ j/aq from the algorithm 
of solving the CVP/« «44 /(,/3,) Problem so that we complete the proof of Lemma 3.4.3. 
The following content is divided into two parts. In the first part, we use Lemmas 3.4.5 
to 3.4.11 to prove Lemma 3.4.4, which is to solve the CVP7« y4/(./3,) problem based 
on the samples of D,,. In the second part, we prove Lemma 3.4.14 according to 
Lemmas 3.4.12 and 3.4.13, and achieve the transition from solving CVP/» 44 /(/3;) 


to Di + fa/aq: 


Lemma 3.4.4 Letm = Poly(n), ¢ = ¢(n) be anegligible function of n, q = q(n) > 
2 be a positive integer, a = a(n) € (0, 1). Assume that we have an algorithm W 
that solves LWE),q,y,,,m given a polynomial number of samples, then there exists a 
constant c > O and an efficient algorithm that, given any n dimensional lattice L, 
a real number r > /2qn,-(L), and n° samples from Dir, solves the CVP 5+ «aq /(V2r) 
problem. 


Proof This lemma is proved directly by the following Lemmas 3.4.5 to 3.4.11. 


Lemma 3.4.5 shows the relationship of difficulty between the CVP and CVP 
problems. 


Lemma 3.4.5 Given ann dimensional lattice L, arealnumberd < h,(L)/2,q > 2 
is a positive integer. There exists an efficient algorithm to solve the CVP.4 problem 
based on the algorithm for CvVPe 


Proof Let x € R" satisfying dist(x, L) < d be the target vector, define vectors {x,} 
and {a,} as follows: x, = x, 


a; = BK ,(,) € Z", i > 1, 
which is the coefficient vector of the closest vector to x; in lattice L, 
Xi41 = (x; — B(q@; mod g))/q, i 2 1, 


it is easy to prove 
i+1 = (a; — (ai mod q))/q, 


and 


|X 


Ixi41 — Bajsil < 


z 


SQ 


That is, the distance from x,,4; to lattice L is no more than a Note that a could be 
sufficiently small if n becomes lager enough. Based on the nearest plane algorithm 
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by Babai (1985), we can find y € L such that y is the closest vector to x,4, in lattice 
L. Let y = Ba, then a,,; = a, combine with 


di+1 = (a; — (a; mod g))/q, 


we get Gn, dn—1,..., a), and complete the process of solving the CVP; 4 problem. 
This lemma holds. 


We introduce the definition of the LWE distribution A, , in Definition 3.3.2, where 
x is a distribution on Z,. If the value space of x is changed to T = [0, 1), we can 
give another definition of LWE distribution. 


Definition 3.4.3 Lets € Dis e be arandom variable on T with density function ¢. 
The LWE distribution A, 4 = (a, b) € Zi x T generated by s and ¢ satisfies: 
(jae Zi is uniformly distributed. 
(2)b=a-s/q+emod 1. 


The LWE distribution we discuss later in this section is always Ay. 


Lemma 3.4.6 Let q = q(n) > 1 be a positive integer, given s' € Zi, and samples 
from As,y,, for some unknown s € Zi, a < 1. There exists an efficient algorithm that 
determines whether s’ = s with probability exponentially close to 1. 


Proof Let (a, x) be a sample from the LWE distribution A; y,, T = [0, 1), € be a 
random variable on T with density function p(y) such that 


E=x-a-s'/q=e=eta-:-(s—s’)/q. (3.4.1) 


The steps of the algorithm are as follows. Generate n samples y, yo,..., Yn, of € and 
compute 


1~ 
=-— cos(27ry;). 
Zz 2 (21ry;) 


If z > 0.02, then we confirm s = s’, otherwise, we decide s 4 s’. Next we prove the 
correctness of this algorithm. 

Ifs = s’, by (3.4.1) we geté = e with the distribution W. On the other hand, ifs # 
s’, then there is 1 < j <n, suchthats; A 8, where s; and &, are the jth coordinates 
of s and s’ , respectively. Let g = ged(q, 5; — 7) k = q/gcd(q, sj — Ss a; be 
the jth coordinate of a, it is not hard to see the distribution of a;(s; — s;) mod q 
has period g, i.e. the distribution of aj;(s; — s;)/q mod | has period g/g = 1/k, 
k > 2. Since & is regarded as the sum of a;(s; — s;) /q mod | and an independent 
random variable, therefore, the distribution of € also has period 1/k. Assume Z is 
the expectation of cos(27ré), 
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1 1 


2 = Elcos(27é)] = i cos(27y) p(y)dy = Re / 2" p(y)dy. 
0 0 


When s = s’, the distribution of € is Wy, the right hand of the above formula could 
be computed as z = e-™@” When s # s’, the distribution of & is periodic with period 
1/k, note that the integral of the periodic function e?*"” p(y) with period 1 is fixed 
in any interval of length 1, then 


1 I+; 


i e""” p(y)dy = / e**"” p(y)dy 
: i 
1 


i eo p(y)dy 


So 


1 
=er / e""" p(y)dy. 
0 


From k > 2 we know Z = 0, by the Chebyshev inequality, 


_ Var[cos(27€)] 


Pr{lz—2| < 0.01} > 1 
nee! 0.012n 


The probability of |z — z| < 0.01 is exponentially close to 1 when n is large enough. 
Thus, we confirm s 4 s’ with probability exponentially close to 1 if z < 0.02. We 
complete the proof. 


Based on Lemma 3.4.6 and the algorithm for LWE,,4,y,,,m, for any B <a and 
samples from A,.y,, the following Lemma 3.4.7 gives an algorithm to solve s with 
probability close to 1. 


Lemma 3.4.7 Let g = q(n) > 2 be a positive integer, a = a(n) € (0, 1). Assume 
that we have an algorithm W that solves LWE) q,y,,,m with a polynomial number 
of samples, then there exists an efficient algorithm W’ to solve s with probability 
exponentially close to | for some samples from As y,, where B < a and B is unknown. 


Proof Assume we need n° samples in the algorithm W, c > 0 is a constant. Let the 
set Z be 
Z={y|y =6n-“a* € [0, a7], 5 € Z}. 


The steps of algorithm W’ are as follows. For each y € Z, we repeat the following 
process n times. Each time we get n° samples from A;y,, and add samples from 
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Ww yy to the second component of each sample from A; y,, 80 we obtain n° samples 
from As y JS" We solve s’ by algorithm W and determine whether s’ = s. If s’ = 5, 
Y 


output s’ and we complete the algorithm. Next we prove that the above algorithm 
could achieve the goal of solving s with probability exponentially close to 1. Assume 


T =minly € Z,y > a2 — B?}. 
From the definition of the set Z 
Tg? -p +n’, 
Let a’ = \/p? +T, we have 
asa’ < Var +n-%o? < (14+ Ja. 


Based on lemma 3.3.5, 
9 : 9 
A a> wiz —-1l <n 
uted <8(%-1) 2 


Therefore, the statistical distance between the n° samples from Wy and n° samples 
from Wy is no more than 9n~°, which means the probability that the algorithm 
W solves s successfully is at least 1 — 9n~° > 5. It follows that the probability of 
solving s unsuccessfully n times is no more than 2~”. The lemma holds. 


To prove our main result, we need two properties about the Gauss function and 
statistical distance. 


Lemma 3.4.8 For any n dimensional lattice L, c € R", ¢ > 0, r > ne(L), we have 


o,(L +c) € r"det(L*)(1 £ ). (3.4.2) 


Proof Based on Lemma 1.3.2 in Chap. 1, 


pr(L +c) = >> p,,-c(x) = det(L*) Y> p,~c(y) 


xeL yeL* 


= r"det(L*) DY) pir) 
yeL* 


=r"det(L*)(1 + > MY o ,(y)). 
yeL*\{0} 


From r > n,(L), it follows that ;/,(L*\{0}) < e, and 
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>. ery 1 1,(y) < +e Piyr(y) Se. 


yeL*\{0} yeL*\{0} 


We get 


pr(L +c) =r"det(L*) | 1+ = ereY ny, (y) | € r"det(L*)(1 £6). 
yeL*\{0} 


The proof is complete. 


Lemma 3.4.9 For any n dimensional lattice L, u € R", € < 5, r, S are two positive 


real numbers, t = Jr? + s*, assume rs/t = 1//1/r? + 1/s? > n-(L), let € be the 


sum of a discrete Gauss distribution D,+,,- and a noise distribution D,, then 
A(&, D,) < 28. (3.4.3) 


Proof Let the density function of € be Y(x), then 


1 


Y¥(x) = ———_ PO p(y) as(x — y) 
™ pr(L + u) yeL+u 
= y exp | —z | | + 
S pr (L sw u) yeL+u r AY 
1 r2 + sz r2 2 1 - 
= ex 4 + 
s"p,(L + u) 22 ’ ( ( pe» @ie'| "pao" 


ex i | le : 
= x 
a + 52 s"p,(L + u) 


y Xx 
2 92 2 2 
yeL+u fa rors 
Pt (x) Prs/t,(r/t)2x—u (L) 
s” Pr,-u(L) 


_ A(x) Prs/t,(r/t)2x—u(L*) 

SB -u(L*) 

_ pr(x) (t/15)" Prsjt(r/t)2x—u(L”) 
1” Cire wry 


(3.4.4) 
Based on the Fourier transform property of Gauss function in Lemma 1.2.1 in Chap. 
1, we get 


Prajtte fea (w) = exp(—27 i ((r/t)?x —u)- w)(rs/t)” Pr/rs (w), 
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and 
bru (w) = exp(2miu - w)r" p1/r(w). 


Sincer > * > n-(L), 
[1 — (¢/1s)" bys/1crj2x—w(L")| < Pr/rs(L*\{0}) < €, 
[1 — 1/7)" 6,,-w(L")| < pry (L*\{0}) < €. 
It follows that 


fe Bre Oxnerteal DY ..1 
E — C/18)" Prsitoitys ( dg FE cpa, 
—¢ 


1-2e< < a 
l+e (1/r)"y,-u(L*) 


By (3.4.4), 


(6) — 2D) «4p, 


Integrate for x € R", 


ag. d=; fe) - Phar <6 


R" 


We complete the proof. 


Lemma 3.4.10 For any n dimensional lattice L, vectors z,u € R", real numbers 
ra>Oe< 5, ne(L) < 1/V1/r? + (|z|/a)2, let v be a random variable of the 
discrete Gauss distribution Dz+y,r, e be a random variable of Gauss distribution 
with mean 0 and standard deviation a//2n, & be a random variable of Gauss 
distribution with mean O and standard deviation V(r|z|)2 + at? // 27, then 


A(z-u+e,&) < 2e. (3.4.5) 
In particular, 
A(z-u+e mod 1, (epee) < 2e. (3.4.6) 


Proof Let the random variable h has distribution D,/z;, then the standard deviation 
of his w/(|z|</2z7), and the standard deviation of z - his |z| - @/(\z|\/27) = a//20 
which is the same as that of e. Since both of them have Gauss distributions, we get 
the distributions of z-h and e are the same, i.e. z- u+ e and z- (v+h) have the 
same distribution. Based on Lemma 3.4.9, let s = a/|z|, it follows that the statistical 


distance between v + A and D ele? is no more than 2e, 


AW+h, D yeep < 26. 
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By the property of statistical distance, 


AG: WU+h),2-D pai <2 


Here the standard deviation of z - D Fale? is 


lzl Vr? + (ae/lzlP/V 2x = J (rll)? + 02/V 2x, 


which is the same as that of €. Note that both of the two random variables have Gauss 


distributions; therefore, z - D alley? and é have the same distribution, i.e. 


A(z-u+e,&) < 2, 


mod 1 for both of the two random variables, 


AG@-u+emodl,W (arg) < 26. 


The lemma holds. 


Lemma 3.4.11 Let ¢ = e(n) be a negligible function of n, q = q(n) > 2 be a pos- 
itive integer, a = a(n) € (0, 1). Assume we have an algorithm W to solve s given 
a polynomial number of samples from Ay, for any B < a (B is unknown), then 
there exists an efficient algorithm that given ann dimensional lattice L, a real num- 
ber r > /2qn-(L) and a polynomial number of samples from D_,, to solve the 


(q 
CVE cayG/an problem. 


Proof For a given x € R", dist(x, L*) < aq/(V2r), denote the generated matrix 
of L is B, and the generated matrix of L* is (B’)~', our goal is to solve s = 
B’ K,«(x) mod q. The idea of algorithm W’ is to generate a polynomial number 
of samples from A;_y,, and solve s according to the algorithm W. 

The steps of algorithm W’ are as follows: let v € L be a sample from the discrete 
Gauss distribution D; ,,a = B~'v mod q, e be random variable of Gauss distribution 
with mean 0 and standard deviation aw/(2,/7), then there is 8 < @ such that the 
statistical distance between (a, x - v/q + e mod 1) and A,.y, is negligible. Next we 
prove the correctness of this algorithm. 

Firstly, note that the distribution of a is almost uniform, i.e. the statistical distance 
between a and the uniform distribution is negligible. This is because for any ay € Z”, 
we have 

Pr{a = ao} = p-(qLh + Bao) = prjqg(L + Bao/q). 


Since gn;(L) <r, based on Lemma 3.4.8, 


Pr{a = ao} = prjq(L + Bao/q) € (r/q)"det(L*)(1 + €), Vag € ZI. 
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This implies a is almost uniformly distributed. 
Secondly, we consider the distribution of x - v/g + emod1.Letx’ = x — K;+(x), 
from dist(x, L*) < ag/(/2r) we get |x| < aq/(V/2r) and 


x-v/q+emod 1 = (x'/q)-v+e+ Ki«(x)-v/q mod 1. (3.4.7) 
We compute the distributions of K;«(x) - v/q mod | and (x’/q) - v + e, respectively. 
It is easy to see 
Ki(x) 0 = (BY Ky +(x) - (B™'v), 
therefore, 
K,»(x)-v mod q = (B' K;+(x))- (B~!v) mod g = s-amod q. 
This means K;+(x) - v/qg mod | ands - a/q mod | have the same distribution. In order 


to get the distribution of (x’/q) - v + e, note that v has discrete Gauss distribution 
Dgi+Ba,r, and e has Gauss distribution with mean 0 and standard deviation a/(2,/7), 


let B = J/(r|x’|/q)? +02/2 <a, 


fy) 1/r? + (W/2|x!|/ouq)? > r/V2 > ane(L) = ne(QL) 


satisfies the condition of Lemma 3.4.10. By Lemma 3.4.10, (x’/q) - v + e almost has 
the distribution wg and the statistical distance of them is negligible. From (3.4.7), 
x-vu/q +e mod 1 and wg + s- a/q mod | have the same distribution. Above all, 
we get the statistical distance between (a, x - u/q + e mod 1) and A, ,,, is negligible 
so that the algorithm W’ is correct. We complete the proof. 


Combining the above Lemmas 3.4.5, 3.4.7 and 3.4.11, we obtain the conclusion 
of Lemma 3.4.4 immediately, which shows that we can solve the CVP/. 44/./3;) 
problem by the samples of D ,,. In order to prove Lemma 3.4.3 completely, we 
introduce the technique of quantum computation to prove there is an efficient quan- 
tum algorithm to generate a sample from Dy ,. /7/qq based on the algorithm for the 
CVP 7s ag /(/2r) Problem. 


/aq 


Definition 3.4.4 For a real number a € R and a vector x € R", we define the Dirac 
notation a|x) = ax. Let A be a finite or countable set in R”, f be a function from 
R” to R, a quantum state is defined by 


Y fOm=>) fax (3.4.8) 


xeEA xeA 


if > 4 f(x)x converges. 
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The knowledge about Dirac notation and quantum state is an important part of 
quantum physics. Since it involves too much content beyond the scope of this book, 
we will not introduce it in detail. We only provide the Lemmas 3.4.12, 3.4.13 and 
3.4.14 here. The readers could refer to Nielsen and Chuang (2000), Shor (1997) 
for details. The following Lemma 3.4.12 gives the discrete Gauss quantum state on 
lattice, where the lattice L satisfies L C Z". 


Lemma 3.4.12 Given ann dimensional lattice L C Z", r > 27"1,(L), there exists 
an efficient quantum algorithm to output a state within negligible I, distance from 
the following state 


De Ver)Ix) = D7 oyay(x)Ix). (3.4.9) 


xeL xeL 


Let L be ann dimensional lattice, R be a positive number, L/R = {x/R|x € L} 
be a lattice obtained by scaling down L by a factor of R. The following lemma 3.4.13 
claims that the quantum state on lattice is on points of norm at most ./n. 


Lemma 3.4.13 Let R be a positive integer, L be ann dimensional lattice such that 
A\(L) > 2./n, F be the basic neighborhood of L. v, and v2 are defined by 


vp = > p(x)|x mod L). (3.4.10) 
xEL/R,|x|<./n 
and 
v2 = >) p(x)|x mod L) 
xeEL/R 
(3.4.11) 
= >) Yo p@-y)Ix). 
L/ROF yeL 


Then the ly distance between “+ and ~2 is negligible. 


lui | |v2| 


The following Lemma 3.4.14 gives an algorithm to generate a sample from 
D1. yaj/2a) based on the algorithm for the CVP;+,¢ problem. 


Lemma 3.4.14 Given ann dimensional lattice L, a real number d < ),(L*)/2, if 
there exists an algorithm to solve the CVP ;«,¢ problem, then there is an efficient quan- 
tum algorithm to generate a sample from the discrete Gauss distribution Dy 7)/3a)- 


According to Lemma 1.3.6 in Chap. 1, when r > /2q7(L), we have 


aq a a Ta ‘ 41 (L*) 
Je i aN je 
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replace d in Lemma 3.4.14 with aq /(./2r), then there exists a quantum algorithm to 
generate a sample from the discrete Gauss distribution Dz» /z/ag given the algorithm 
for the CVP/« yg /(/2r) Problem. 


Combine Lemma 3.4.4 with Lemma 3.4.14, for r > J/2q n-(L), we have proved 
that one can solve the CVP_.« 44 /(./3-) problem given the algorithm for the LWE,, 4,y,,,m 
problem and a polynomial number of samples from D,_,, and further to generate a 
sample from Dy. /zjaq> Which is the whole proof of Lemma 3.4.3. So far, we get the 
main Lemma 3.4.1 in this subsection and finish the first part of proof for Theorem 
3.3.1, ie. from the algorithm for LWE,, 4,y,,,m problem to solve the DGS endl tiee 
problem. 


3.4.2. From DGS to Hard Problems on Lattice 


In this subsection, we are to prove that if there is an algorithm to solve the DGS 
problem, then there exists a probabilistic polynomial algorithm to solve the hard 
problems on lattice. Take the GIVP problem as an example, that is, find a set S = 
{s;} C L of n linearly independent vectors in L, such that 


|S| = max |s;| < y(n)(B), 


where y(n) > 1 is a function of n, B is the generated matrix of L, @(B) is a real 
function of B. Specially, if @ = A, then the GIVP problem becomes the SIVP prob- 
lem. In order to complete the proof of reduction algorithm from the hard problems 
on lattice to the DGS problem, we introduce the following two lemmas first. Lemma 
3.4.15 shows that with a positive probability, the samples from discrete Gauss dis- 
tribution are not all contained in a given plane with dimension no more than n. 


Lemma 3.4.15 Given an n dimensional lattice L C R", ¢ < > r> V/2N- (L), let 
H be a plane in R" with dimension no more than n — 1, x be a sample from the 
discrete Gauss distribution D,,,, then 


1 

P. A}> —. 

r{x € H} 10 

Proof h = (hy, ho, ..., hn) € H, without loss of generality, we suppose that H is 
h, = 0,1.e. the plane of all points with the first coordinate 0, let x = (x1, X2,..., Xn). 
Consider the expectation E[e~*“'/ a]; based on Lemma 1.3.2 in Chap. 1, we have 
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E [ema 


x~Dz> 
ent 2x1/7 6 =n (x2/r)? , ent n/t 
~ pr 5 d 
_ det(L*)r" Soe RON? OY... gM? 
V2p,(L) Jo 
e det(L" yr” 
S Faptty ee 


where y = (yj, Y2,---, Yn) € L*. Since r//2 > n,(L), we get 
Pyar (L") = 1+ pyay,-(L*\(0}) < 1 +e. 


It follows that 
z fenton? i< det(L*)r” 


1l+e). 
noe Peay 


By Lemma 1.3.2 in Chap. | again, 
br(L) = det(L*)r" pij-(L*) > det(L*)r", 


therefore, 


l+e 9 
E =n (x,/r)? < ge 
oe oe 


On the other hand, 


EB eral yy PD renry 


x~Dir x€H,x~D,, br(L) 


= Ss Pr (x) = Pr{x € H}. 


x€H,x~D,, 


According to the above two inequalities, 


9 
Pr{x ¢ H — 
r{x }< 10’ 
that is, ; 
P HA} > —. 
r{x ¢ H} 10 


The lemma holds. 
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Based on Lemma 3.4.15, the following lemma shows that it is possible to find 
n linearly independent vectors from n* independent samples of the discrete Gauss 
distribution D;,, with probability close to 1, which provides a guarantee for solving 
the GIVP problem later. 


Lemma 3.4.16 Given ann dimensional lattice L C R",¢ < > r> V/2n¢ (L), then 
the probability that a set of n* vectors chosen independently from D1, contain non 


linearly independent vectors is exponentially small. 


Proof Let x1, X2,...,X,2 be n2 independent samples from D;,,, fori = 1,2,..., 
n — 1, let B; be the event that 


dim span(x,, x2, ..., Xin) = dim span(x), x2,...,X@41)n) <n. 
If none of the events B,, Bo,..., B,-; happens, then 
dim span(x, %2,...,%,2) =N, 


i.e. there exists n linearly independent vectors in these n” 


the probability of B;, by Lemma 3.4.15, 


samples. Next we estimate 


9 
Pr{x; € span(x1, X2,.-.,Xin)} < 70’ Vint+ley7cG+ na. 
Thus, 
9 n 
Pr{Xinti, Xint2> +++» XG40n © Span(X1, X2,...,Xin)} < To}? 


that is, 


It follows that 


9 n 
Pr{B, NO B2N---A Bri} =1—Pr{B,U---UB,1} >1—-M— »(2) ; 
this means the probability that none of B,, Bz, ..., B,-1; happens is close to 1, ie. 
the probability that there are n linearly independent vectors in these n* independent 
samples from D;_, is close to 1. We complete the proof. 


Based on the above preparations, let’s prove the main conclusion in this subsection. 


96 3 Learning with Error 


Lemma 3.4.17 Given ann dimensional lattice L, € = e(n) < at @(L) > V2ne(L), 
if there exists an algorithm for the DGSg problem, then there is a probabilistic poly- 
nomial algorithm to solve the GIVP, jj, problem. 


Proof By the LLL algorithm we choose the generated matrix S = [s), 52,..., 5,] of 
lattice L such that s; < 2”2,(L), 1 <i <n. Let 


An = |S| = max |s;| 
l<i<n 


be the length of the longest column vector in S, then 


ALY < dy S21). 


For each i € {0,1,..., 2n}, let 7; = an, we generate n independent samples 
from D__,, based on the algorithm of the DGS, problem, and the corresponding sets 
of n” vectors are denoted as So, S},..., Son. If ae < f(L), we have 


An = |S| < 2/n@(L), 


so S is a solution of the GIVP) 74 problem. If ¢(L) < An, then there exists i € 
{0, 1,..., 2n} such that 6(L) <r; < 26(L) according to Lemma 1.3.6 in Chap. 1, 


n n 2n+1 
An <2" dn(L) < 2 Aa ne(L) <2" b(L), 


combine rg = hn > &(L) withra, = 2-2nj < 2¢(L), we know there is 7; satisfying 
o(L) <r; < 2¢(L). By Lemma 3.4.16, the probability that S$; contains n linearly 
independent vectors v1, V2,..., U, 18 close to 1. Based on Lemma 1.3.4 in Chap. 
1, the probability each v; no more than ./nr; < 2,/n@(L) is close to 1. Let V = 
[v1, U2,..., Un], we get |V| < 2,/n@(L), so we find a solution of the GIVP» jag 
problem. This lemma holds. 


In Chap. 2, we have proved that the hard problems on lattice such as the GIVP and 
GapSIVP problems can be reduced to the SIS problem, so the difficulties of solving 
the hard problems on lattice are the same. In Lemma 3.4.17, we prove that if there is 
an algorithm for the DGS problem, then there is a probabilistic polynomial algorithm 
to solve the GIVP problem with positive probability, which can also solve the other 
hard problems on lattice. So far we have completed the second part of the proof 
of Theorem 3.3.1. In the first part, we have proved that if there is an algorithm for 
the LWE problem, then there exists a quantum algorithm to solve the DGS problem. 
Combining the two parts of the proof, we get the feasibility to solve the hard problems 
on lattice based on the algorithm for solving the LWE problem, that is, the difficulty 
of solving the LWE problem is not lower than that of the hard problems on lattice. 
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3.4.3 From D-LWE to LWE 


In this subsection, we will finish the third part of the proof for Theorem 3.3.1, i.e. 
the difficulty of the D-LWE problem is at least as high as that of the LWE problem, 
which is given in the following Theorem 3.4.1. 


Theorem 3.4.1 Let n > 1 be a positive integer, 2 <q < Poly(n) be a prime num- 
ber, x be a distribution on Zyq. Assume that we have an algorithm W to determine a 
sample from the LWE distribution Ax, or the uniform distribution U with probability 
close to 1, then there exists an algorithm W' to solve s given some samples from the 
LWE distribution As, with probability close to 1. 


Proof Let s = (51, 52,...,5n) € Za we give the steps for solving s, of the algo- 
rithm W’, and s2,..., 5, could be solved in the same way. For k € Z,, consider the 
following transformation of the LWE sample (a, b), where a is uniformly distributed 
on Zj,b=a-s+e,e< x, 


(a,b) — @+(,0,...,0),b +k), 
here / € Z, is uniformly distributed. If k = s,, then 
b+lk=a-s+tet+ls; =(a+(,0,...,0))-s+e, 


note that a+ (/,0,...,0) is also uniform on Zi therefore, (a + (/,0,...,0),b+ 
Ik) has the LWE distribution A, ,. 

On the other hand, if k 4 s,, at this time /k and b are independent, based on / is 
uniform on Z,, it follows that /k is also uniform on Z,. By Lemma 3.3.2, we get 
b + 1k is uniform on Z,, so (a + (J, 0,..., 0), b + /k) is uniform. By the algorithm 
W, we determine (a + (/,0,...,0), b +/k) is from the LWE distribution A, , or the 
uniform distribution, and check whether s, is equal to k. Since the number of possible 
values of k is g, we can always find the solution of s,. After solving sz, 53,..., 5, in 
the same way, we get the solution s. The lemma holds. 


In Theorem 3.4.1, we prove that the difficulty of the D-LWE problem is not lower 
than that of the LWE problem and complete the whole proof of Theorem 3.3.1. The 
difficulty from solving the D-LWE problem to the LWE problem, then to the hard 
problems on lattice does not increase. We will further discuss the LWE cryptosystem 
with the probability of decryption error in the next chapter. 
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Chapter 4 ®) 
LWE Public Key Cryptosystem ra 


In 2005, O.Regev proposed the first LWE public key cryptosystem at Tel Aviv Univer- 
sity in Israel based on LWE distribution A, ,. Because of this paper, Regev won the 
highest award for theoretical computer science in 2018—the Godel Award. The size 
of public key is O(n?) bits, and the size of private key s and ciphertext is O(n) bits. 
The plaintext encrypted each time is | bit. In fact, the LWE public key cryptosystem 
is a probabilistic cryptosystem, which depends on a high probability algorithm. Since 
the security of LWE problem has been clearly proved (see Chap. 3), the LWE cryp- 
tosystem has received extensive attention as soon as it was proposed, and it becomes 
the most cutting-edge research topic in the lattice-based cryptosystem study. 


4.1 LWE Cryptosystem of Regev 


Letn > 1,q > 2 be positive integers, x be a given probability distribution in Z,. By 

Definition 4.3.1 in Chap. 3, the LWE distribution A, , is 
As,x = (a,b) € Zi x Za, 

ioe a,s > +e (mod q), oh 


where a € Z; is uniformly distributed, s € Zj is the private key chosen at random, 
e €Z,, e <x is called error distribution. LWE cryptosystem depends on LWE 
distribution A, ,, and its workflow has the following three steps: 


(1) Public key. 


First we choose s € Zj at random as the private key, let m = O(nlogq). Then we 
choose m samples distributed from A, ,, (a;, bj) € Zi x Zq,€) € Lg, 8 — XK 
i <m. Let 

A= [ay, Q2,.+-, Am|nxm € i eae 
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by | 
by 2 

m 

b = . »,e= a x Py 
bin em 


where A is a matrix uniformly at random, e < x” indicates the m samples are 
independent. The public key of LWE cryptosystem is the following (n + 1) x m 
matrix 


A= (3) € sa aaah (4.1.2) 


If the uniformly random matrix A is given and saved for all the users of LWE 
b 


bo 7 
cryptosystem, then the true public keyisb = | . | € Z? with size O(m) = O(n). 


bm 
The public key and private key satisfy the following equation: 


(-s', I)A =, e! (mod q). (4.1.3) 


(2) Encryption. 
In order to encrypt plaintext of 1 bit uw € Zo, let x € {0, 1}” be an uniformly dis- 
tributed m dimensional vector with each entry 0 or 1. The ciphertext c € oat is an 
(n + 1) dimensional vector in Z,, defined by 

0 
L 


u- 


fal) == Ax + ( :) e Zntl, (4.1.4) 


q 
2 


where 0 = | . Zi, ULF] € Zq, L$] is the nearest integer to 4. We call f4 the 


0 
encryption algorithm of LWE. In order to understand the encryption algorithm better, 
we give another definition of f4. 
The following set {1,2,...,m} has 2” subsets. We choose a_ subset 
Sc {1,2,...,m} uniformly at random which is called the index set. Then the 
encryption algorithm f,4(u) for plaintext u € Zz is 


cS fw <8) € Zit (4.1.5) 


In fact, the subset S is corresponding to the uniformly chosen vector x € {0, 1}”. 
The above algorithm (4.1.5) was proposed by Regev originally. 
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(3) Decryption. 


We use the private key s € Zi for decryption of the ciphertext c. Actually we only 
need to decrypt for the last entry of vector c. We have 


i. (c) = (-s', le = (~s' Ax +ult 7 | =, ex tulg | (modgq). (4.1.6) 
The error samples are much smaller than g, namely 


Yie=elx < [51/2. (4.1.7) 


ieS 


Therefore, by comparing the distances between the right side of (4.1.6) and 0 or L$] : 
one can decrypt successfully: 


0, if (—s’, 1)c is closer to 0, 


1, if (—s’, 1)c is closer to | $], (4.1.8) 


f= | 


finally we have fy '(c) = wand finish the whole workflow of LWE cryptosystem. 
Both of the encryption algorithm and decryption algorithm of LWE are proba- 
bilistic algorithms, so we should verify the correctness, namely 


Pr{fq (Cc) =u} > 1 -S(n). (4.1.9) 
Here 5(n) is anegligible function of n, i.e. d6(n) = 0 (as = ) , Ve > O, more precisely: 


lim 6(n)log*‘n = 0, Ve > 0. 
n—->oo 


We prove (4.1.9) with given discrete Gauss distribution x = W,. For a € Zy, 
Zq = {0,1,...,¢— 1}, 


_ ja, ifO0<a L41, 
ce ee ele <¢— 1. (4.1.10) 


For x € T = [0, 1), we define 


27 (4.1.11) 


re x, if0<x<t# 
=| a ee 1, 


Lemma 4.1.1 Let 6 > 0,0 < k < m, if the distribution x* satisfies 


Pr. {lel a 31/2} S15, (4.1.12) 
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then (4.1.9) holds, i.e. 

Pr{fx'(c) =u} > 1-6. 
Proof When we choose the error samples e; € Z,, e; <— x, we can always guaran- 
tee e; = |e;| without changing the probability distribution. By (4.1.7), suppose that 


|S| = k, the corresponding sample 


e| 
k 


e=|. 1, lel= Yl 2h 
As long as (4.1.7) holds, i.e. 
q -1 
lel < 51/2 > fal) =u, 


then 


Pr{ fx'() =u} > Pr {lel < 41/2] eo eae: 


Next we prove (4.1.12) holds for discrete Gauss distribution Wa in Z,. The fol- 
lowing assumptions are made for the selection of parameters: 


n>1,qg>2,n*<q<2n’, 
m= (1 i oe + loa, € > 0 is any positive real number, (4.1.13) 
x= Wan)> a(n) = 0(sricga)» 


where the symbol o indicates 
lim a(n) /nlogn = 0. 


For example, we can choose a(n) = or 


i 
Jnlog?n’ 
a(n) = (Vnlog!**n) | , We > 0. 

Lemma 4.1.2. Under the condition for parameters of (4.1.13), for any0O <k <m, 

we have 


Pr {lel ale 41/2] > 1—8(n), (4.1.14) 


e~We any 


where 5(n) =o (aa 7); Ve > 0, is a negligible function. 
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Proof Based on (4.1.13), when n > ng, it is easy to see that 


2 


n q 
O<k<m<4d 1)l —<=. 
m d+e)a+ OER Sas 30 
ca 
The k samples e = | : | distributed as ve could be obtained from the k samples 
ek 
X1,X2,..., X% Of distribution y,, where 


1 
x, € o. ;) e; = Lqx;| modg, 1<i<k. 


Here the set of representative elements of Z, is 


Z,={aeZ| -~S<a<3}. 
2 2 
So we have 
k k 
lel = )o lel = )olaxi] mod g. 
i=l i=l 
Note that : 
» (Lgxi] — xi) modg <k< on 
i=l 
Therefore, 


k 


k 
q 
S93: modq < i (>> x) mod 1 < 


i=l i=1 


we have |e| < L31/2. Since a, mod 1 distributed as yw ,, where 


Vk 0 = 0 (abg), 80 


k 
1 
Pfs mod | < ial =1=8(n), 


i=1 


where 5(n) = /k-a@ =o (atm): We complete the proof. 
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4.2 The Proof of Security 


To prove the security of Regev’s cryptosystem, we first prove some general prop- 
erties for the probability distribution of Abel group by Impagliazzo and Zurkerman 
Impagliazzo and Zuckerman (1989). 

Let G be a finite Abel group, k > 1 be a positive integer. For any / elements 
£1, 82,---, 81 € G, suppose x € {0, 1}, & = (81, 82,---, gy), then 


l 
gx= > xgi, x; =Oorl 
i=1 
is called a subsum of {g1, 22, ..., g/}. Randomly choose x € {0, 1}’, let gx denote 


the distribution of subsum, and let U(G) denote the uniformly distribution on G. 


Lemma 4.2.1 For any I elements {g 1, g2,..., gj} uniformly at random, the expec- 
tation of statistical distance between the distribution of subsum and the uniformly 
distribution on U(G) is 
1 
E(A(gx, U(G))) < (IG|/2)?. 


Specially, the probability that the statistical distance is larger than (IG|/2!)4 is no 
more than (|G|/2!)4, ie. 


Pr {A(gx, U(G)) > (IGI/2)*} < (G1/2+. 


Proof Let g = (g1, g2,---, gi) be / group elements chosen at random, h € G is a 
given group element. Define P, (h) 


1 
Ph) = 5 


’ 


1 
f € {0,1}! | gx = >) x8; -»| 


i=1 


we call P,(h) the distribution of subsum for g. In order to prove P,(h) is close to 
uniformly distribution, we first prove the /) norm between P,(h) and the uniformly 
distribution is very small. In fact, we have: 


1 
> Ph)? = Prigx = @7') = ai t Prigx = gx’, x #3’). 
heG Xx X,x 
Note that for any x 4 x’, 


1 
P — = —. 
oe gx} iG| 
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So the expectation of /, norm for g satisfy 


Bie) ese ate 
| Sr <atiq 


heG 


Finally, we have the following estimation 


1 
Py 
ape a al| 
1 2\ 3 
< G|2 P,(h) — — 
E|IGI (m (20 x) ) 


fi}? 
= |G? P.(h)? | — — 
IG| [e(X st) a 


< (IG|/2!)?. 


We complete the proof. 


The security of LWE public key cryptosystem by Regev is ascribed to the follow- 
ing theorem, which is the most important result in this chapter. 


Theorem 4.2.1 For any « > 0, m > (1+ €)(n+ Ilogg, if there is a probabilis- 
tic polynomial time algorithm W which distinguishes the plaintext u = 0 oru = 1 
from the ciphertext c, then there exists a polynomial time algorithm solving the 
D-LWEn,g,x,m problem. 


A = nxm : 
Proof The public key of LWE cryptosystem is A = (F where A € Z/*” is a 
by 
matrix uniformly at random, b= | : | € Z/ is an m dimensional vector chosen 


bin 
uniformly. The encryption function f4(u) is 


c= fatu) = Ax + aia) € ) ae x € {0, 1}. 
2 
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Since W is a probabilistic polynomial time algorithm, suppose Po(W) is the 
probability that decrypting u = 0 from f4(0) by W, and P;(W) is the probability 
that decrypting u = | from f,4(1), i.e. 


(4.2.1) 


Po(W) = Pr{W(fa(0)) = 0}. 
P\(W) = Pr{W(fa(1)) = Y. 


Ifbe Zi is uniformly at random, then LWE distribution A,, is uniformly LWE 
distribution. Let P,(W) be the probability of decryption successfully by W under 
the condition of uniformly distribution A, ,. Suppose that 


1 
[PoW) — PQ) 2 ar 8 > 0, (4.2.2) 


Under the assumption of (4.2.2), we will construct a new algorithm W’ satisfying 


; / 1 
Pow) — PulW | 2 5G. (4.2.3) 


By (4.2.2), we have 


1 
or |Pi\(W) — P,.(W)| = =. 
2no 


1 
|Po(W) — Py(W)| > =. 
n 


If the first inequality of the above formula holds, let W’ = W. If the second inequal- 
ity of the above formula holds, then construct W’ as follows. Let the function 


o be fa(u) > fatu) + io) 
2z 


Thus, o maps the LWE distribution (A, b) to (A, b+ 1), If b is uniformly 
at random, so is b + ae We define W’ to be the decryption on LWE distribution 
(A, b + 45") by W. According to (4.1.5), 


Po(W) = Pi(W’), Pi(W) = Po(W’), 
so W’ is the algorithm which satisfies (4.2.3). = 
Let s € Z/, the public key sample satisfies distribution of (A, b) € Zj*" x Z7 = 


As,,- Let Po(s) be the probability of decryption u = 0 successfully by W’, i.e. 


Po(s) = Pr{W'(fa(0)) = 0}. 
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Similarly, let P,(s) be the probability of decryption successfully by W’ if (A, b) is 
uniformly at random. Suppose 


| ELPo(s)] — ELPu(s)]] 2 (4.2.4) 


2nd’ 


we define j 
Y= f E Zi | | Po(s) — P,(s)| > zat: (4.2.5) 


It’s easy to prove: if s € Z7 is uniformly distributed, then we have 


Y n > ——s 
IWI/q" 2 7 
Therefore, in order to prove Theorem 4.2.1, we need to find an algorithm Z to 
determine whether the LWE distribution A, , is uniformly at random for any s ¢€ Y. 
The construction of algorithm Z: let R be a probability distribution on Zi which is 
uniform LWE distribution or general LWE distribution when s € Y, ie. 


R = uniform LWE distribution, or R = As, s € Y. 


by 
Let A = [aj,...,am] € Las b=]: ]e Ze be m random samples from dis- 


bn 

tribution R. Let Py(R) be the probability of decryption u = 0 successfully by W’, 
where (a, b) = A;,,, s € Y. In the same way, suppose P,,(R) is the probability of 
decryption u = 0 successfully by W’ if R is uniform LWE distribution. We esti- 
mate Po(R) and P,,(R) by using the algorithm W’ polynomial times so that the error 
could be controlled within gty. If | Po(R) — P,(R)| > zr. then the algorithm Z is 
effective, otherwise it is noneffective. 

We first confirm: if R is uniform LWE distribution, then Z is noneffective with 
high probability. Because in this case, (A, b) € Zi" x Z7, bis uniformly atrandom. 
According to Lemma 4.2.1, the Abel group G = Z7 x Z,, we have 


|Po(R) — P,(R)| < 2-2, 


In this case, Z is noneffective. 
If R= A,,, where s € Y, we are to prove the algorithm Z is effective with 
probability See i.e. one can distinguish s € Y from uniform distribution. Since 


|Po(R) — P,,(R)| > in the average sense we get 


1. 
4n)? 


1 1 
P Po(R) — P,(R)| => —<- 7 >. 
al »(R) — P,(R)| =| =i 
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Thus, the algorithm Z is effective for A, ,, s € Y with positive probability. We 
complete the proof of Theorem 4.2.1. 


4.3 Properties of Rounding Function 


The public key of LWE cryptosystem by Regev is A = @. € ae xm where 


b’ 
by 
Ae Z," is a matrix uniformly at random, b= | : | € Z7' is a uniform sample 
bm 
vector (see 4.1.2). In this section we will discuss the sampling technique of public 
key A based on rounding function. 
For Vx € R, let {x} be the fractional part of x, |x] be the closest integer to x, i.e. 


_ [x00 if0< ty <b 
el io 1— {x}, ifh <(}<1, C31) 
In fact, |x] is the only integer satisfying 
bite re ee (4.3.2) 
= ee < Sc, 1 = — a J. 
x es ae ie ae x 5 


We call |x] rounding function, and its properties could be summarized as the fol- 
lowing two lemmas. 


Lemma 4.3.1 (i) |x +n] =n+ Ll neZxeR. 

7) | WL IX} A 5. 

il ee Lx], fie} = 4. 

(iii) For any integers a,b€Z, b#0, we have the following division: 
a=(|flbt+r, where —% Ps 

(v) x] +lyl-l<let+yl <b 14+ b14+Lvx,yeR 

(4) = 41. We Zn>LxeR 


Proof By (4.3.2), 
lx+n] =x] +rt+n)=n+ [x], 


so (i) holds. If {x} A 5, thenr ¢ 5, and 5 <r< 5, we have 


L-x] = L-L4] -r] = - Le. 


Ifr = 4, then {x} = 5, and 1 —r = 3, so that 


[-x] = L-l4] -1+1-r]=—-1-l[r], 
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we have (11). Property (iii) and (iv) can be proved similarly. To prove (v), let x = 


[x]+r,then —2 < + < 2, thus, 


2n n 2n? 


Lemma 4.3.1 holds. 


Definition 4.3.1 Lett and g be two positive integers, we define function f : Z—> Z 
° f@= (Sal, Va € Z. (4.3.3) 
Lemma 4.3.2 Let a,b € Z, then 

a=b(modt) => f(a) = f(b) (mod q). 


Proof Since a = b (mod t), we write a = st + b, therefore 


fla) = [2(st + 6)1 = Lsq + 2b] = 5q + [2b] = 5q + FO) 


So we have f(a) = f(b) (mod q). 


By the above lemma, f is a function from Z, to Zq> we can define its ‘inverse 
function’ f~! : Z, > Z; as follows 


7 Qe a Vb € Zz. (4.3.4) 


Lemma 4.3.3 (i) Ift <q, thenVa € Z, we have 
f'f@ =a. 
(ii) Ift > gq, anda € Z is uniformly chosen at random, we have 
Pr{f 'f@ A#ap=1- - (4.3.5) 


Proof We first prove (i). If t = q, then 


f(a) = [a1 =|a]=a> f"f@=f'@= [al = la] =a, VaeZ. 


If t <q, then = > 5 based on the definition of rounding function, 


q 1 q q 1 
< <—at+-, 
a. 2 Lal - 2 
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it follows that 


So we can get 


this is equivalent to 


Thus, : 
ee ne ee ee 
q t qt 


This means that 
f 'f@ =a, Va €Z. 


Next we prove (ii), at this time g < t. By Lemma 4.3.2, we only need to consider 
how many elements a in Z, that satisfies f—' f(a) 4 a. By (i) we get 


12 | 51] = b, Vb Zz. 
tq 


This is equivalent to 


f (1401) = b, Wb € Zq. 


So we have 


fs (1501) =f'@®)= aI, Vb € Zy. 


Here 0, [:| ; [2] eee [4] are different from each other in Z;. Next we prove 


that the number of a in Z, satisfying f~'(f(a)) = a is no more than q. Let A be the 
set containing all the elements satisfying f~'(f(a)) = ain Z,.Va,, a2 € A,a; # a 
inZ,, then we have f(a,) # f (a2) (mod q),i.e. f(a,) A f (a2) inZ,. This means the 


number of A is no more than g. Above all, it shows that 0, [:| ; [2] gidehoes [| 


are just all the numbers in Z; such that f “1 Ff (a)) = a. Based on a is uniformly 
chosen in Z,, then 
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Prif-' f(a) #.a} = 1-4. 


We complete the proof. 


In order to generalize the function f and f~! from one dimension to high dimen- 
sion, we give the following definition. 


Definition 4.3.2 Let r, g, | be positive integers, we define function F : Z! > Zi, as 
F (4 q q 1 _ 1 
(a) = (L7ail, [aal,---» Lael) € Z,, Va = (a1, 42,...,a)) € Z,, (4.3.6) 


and the ‘inverse function’ F~! : Zi, — Zi as 


t t t 
F1(6)= (ear Lebel <n) € Z;, Vb = (bi, kn, ...,b)) € Zi. 


(4.3.7) 
Lemma 4.3.4 Va = (a), a2,...,a)) € Zi, if a is uniformly at random and 
a1, 2,..., a; are mutually independent, we have 
1 q\! 
Pr{F7! F(a) # a} = max {0 i (7) (4.3.8) 


Proof If t < q, from Lemma 4.3.3, 
f'f@) =4;, Va, EZ, VICI <1. 


So 
F-'F(a) =a, Vaé ce 


1 
Pr{F-'F(a) £ a} = 0 = max {0 le (7) 
If t > q, from Lemma 4.3.3, 
Prt fo! f (ai) = ai} = 7" a, €Z,, VI<i <i. 


Since a), d2,..., aj are independent, therefore, 


PriF-'F(a) =a} = (2), a eZ, 
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Prle1F(@) #a)=1~($) =maxl0.1— 


We finish the proof. 


4.4 General LWE-Based Cryptosystem 


We introduced the LWE cryptosystem proposed by Regev in Sect. 4.1 and proved its 
security in Sect.4.2. However, it could only encrypt a single bit of plaintext and the 
efficiency is low. Based on the definition and properties of rounding function given 
in Sect.4.3, Regev presented a general LWE cryptosystem in 2009 Regev (2010), 
which could encrypt multiple bits of plaintext v ¢ Z! with size O(t') and improve 
the efficiency signally. In this section, we introduce general LWE cryptosystem first. 
Then we discuss the probability of decryption error for this cryptosystem and prove 
that it could be sufficiently small with suitable parameters. So we verify our core 
result that the LWE cryptosystem could have high security. 

Lett, g,m,n,l,r be positive integers, g > t, function F and its ‘inverse function’ 
are defined in 3.2. The workflow of general LWE cryptosystem is as follows: 


(1) Selection of private key S: S € ts a is ann x / matrix uniformly at random in 
Zq. 
In the LWE cryptosystem introduced in Sect. 4.1, the private key is an n dimen- 
sional randomly chosen vector s € Z{. To encrypt more general plaintext v € Zi, we 
randomly select / private keys 51, 52,..., 5; € Zi independently and form ann x / 
matrix S = [s,, 52,..., 8]. This is the private key S for general LWE cryptosystem. 


(2) Public key. 

When the private key S € ag is fixed, in order to choose samples from LWE 
distribution, we first select m uniform n dimensional vectors a1, d2,..., 4m € Zi in 
Zi and form a uniform random matrix 


nxm 
A= [a1, a2,-+-,Am|nxm € Zi : 


Then we generate m x / noise matrix samples EF = (E;;)mx; from distribution Wor 
where Wo is defined by (4.4.1) and (3.3.13), ie. Ej; € Zg, Eig <— Wc, l<i<m, 
1 < j </l,andthem x / samples are mutually independent. Finally we get anm x 1 
matrix P 


<a, 81 >+E\ aed <a),5, > +E\, 
P=A'S+E= 


< dm, 51 > +Emi tt5 Sm, S) > + Emi mx 
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The public key of LWE cryptosystem is (A, P), which is similar to that in Sect. 4.1. 
Here we only change the public key from b € Z?’ to m x | matrix P € Neue If the 
uniformly random matrix A is given and saved for all the users of LWE cryptosystem, 
then the true public key is the matrix P, and the public key and private key satisfy 
the following equation 

P—A'S =, E (modq). 


(3) Encryption. 
To encrypt multiple bits of plaintext v ¢ Z!, leta € {-r, -—r+1,...,r}" be anm 
dimensional vector with each entry selected uniformly in {—r, -—r+1,...,r},ie.a 


is uniformly distributed. Ciphertext (: is ann +/ dimensional vector, defined by 


ga,P(V) = (‘) , u= Aa, c= P'a+ F(), 


where F is defined in (4.3.6), and gap is called the encryption algorithm of LWE 
cryptosystem. 


(4) Decryption. 
Given ciphertext (u, c) and the private key S, we compute F~!(c — S7u) as the result 
of decryption. We have 


F-\(c — S'u) = F7\(Pa+ F(v) — S'u) 
= F-!((A'§ + E)'a+ F(v) — S’ Aa) 
= F'(E’a+ F(v)). 


Next we calculate the probability of decryption error for this cryptosystem, namely 
the probability of F~'(E7a + F(v)) # v. The following Theorem 4.4.1 gives an 
estimation for this probability, which is the main result of this section. 


Theorem 4.4.1 Suppose q > t, we have the following inequality of the probability 
of decryption error 


Pr{F-(E'a + F(v)) v} < 2u(1 o(o [— 5): (4.4.1) 


Here ® is the cumulative distribution function of the standard normal distribution, 
2 

—f* 1-5 

ie. D(x) = : ae one dt. 

Proof Denote v=(1, v2,..-, v1), Emxi = (£1, Eo, ..., E;), where FE), E2,..., E; 

are all m dimensional column vectors. Let f~!(E : a+ f(v;)) be the ith coordinate 

of F~'(E’a+ F(v)), 1 <i < 1. According to the definition of rounding function, 
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[fui < 
< j , 
2 Vi ra fies 
i tq t 
2q = Lvl Vi< 2q° 
So if | E7a} < 5 — +, we get 
t t 1 


It follows that ; 


q 


t 
Etat (2 S97 0: 
q t 


this means 
Bisaene bg 
|-EF;a+—|-vi]l =vi, 
q qt 


f-! (EJ a+ f@)) = vi. 


t 
2q? 
if fo! (E; a+f (vi) # vj, i.e. the decryption error occurs in the ith letter, then 


LETa| S 5 - a So the probability of decryption error in one letter is no more 


namely if |; Ej al < 5 - we can get f~'(E/a+ f(v;)) = v;. Equivalently, 


than the probability of 


1RT se pitas 
LETa| 25 3q7 Le. 


Pr aire (Eja+ f()) # vi} < Pr {fer 


1 t 
>--—}. 
2 2q 


The next step we estimate the probability of | Ej al S 5 - ay Since each coor- 


dinate of E; is chosen independently from the Gaussian distribution with mean 
0 and standard deviation ag//2a and the sum of independent Gaussian vari- 
ables is still a Gaussian variable, Ela is also a Gaussian distribution variable. Let 
a = (a), 42, ..., A) and each a; is chosen from {—r, —r + 1,--- , 7} uniformly at 


random, then 
= = 1 aos 
Roe r+(-r++ ay 
2r+1 


(—r)? + (—r +1)? +--- +7? tier) 


Var(a;) = = 
ae) area 3 


E(E} a) = 0. 
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2 
Var (E?a) = ( aq ) TANS os aq? mr(r + 1). 
3 67 


V2n 7 


Therefore Ela is treated as anormal distribution with mean 0 and standard deviation 


aqVJ/mr(r + 1)// 6. We have 


=" Er \/ /mr(r + 1) ae: ees 670 
ee os re 6m % 2atq \ mr(r + 1) 
_ q-t 67 
- 2(1 sd Grr \ mr(r + 5) 


So we get the following inequality for probability of decryption error of the LWE 
cryptosystem 


Pr{F-\(E'a + F(v)) £v} 


<IPr{f-' (Efa+ f@)) # vi 


1 t 
S-- 
2 2q 


_ q-t 6m 
~ 21(1 sre \ mr(r + 5) 


The upper bound could be as closed as 0 if we choose a small enough. It means 
that the probability of decryption error for the LWE cryptosystem could be made 
very small with an appropriate setting of parameters. 


4.5 Probability of Decryption Error for General 
Disturbance 


In this section we estimate the probability of decryption error for the LWE cryp- 
tosystem when the noise matrix E = (E£;j;)m xi 1s chosen independently from a gen- 
eral common variable, rather than Gauss distribution. We have the following theorem. 
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Theorem 4.5.1 q > t, E = (Eij)mxi, each element Ej; is selected independently 
fromacommon random variable of mean 0 and standard deviation B. For any 5 > 0, 
we can find positive integer m, such that the following inequality of the probability 
of decryption error holds, 


Pr{F- (Ela + FO)) £v} < 2i(1 (TF — =) 418, (4.5.1) 


Here ® is the cumulative distribution function of the standard normal distribution, 


Le. (x) = i. Aue Tat. 


Proof Similarly as the proof of Theorem 4.4.1, we need to estimate the proba- 
bility of |; Ej al = 5 - i" Since the coordinates of E/ are independent identi- 
cally distributed, E/ and a are also independent. By central limit theorem Riauba 


(1975), Ej a is approximately normal distribution with mean 0 and standard devia- 


tiond = vm Var(£;;)Var(a;) = B mrt hy Thus, for any sufficiently small 6 > 0, 
there is a positive integer m such that 


_p {ler / (+= ») >it) (+(e | 
_- EZ a| F mr(r + 1) Oe feed) 3 
~ ial/\ Py —G * Opt ¥ mr +1) 
=2(1 a(t : )) +e 
2pt \ mr(ir +1) , 


Here |e| < 5. Then we get the following inequality for probability of decryption error 
of the LWE cryptosystem for general disturbance 


Pr{F-\(E'a+ F(v)) #y} 


<iPpr iy (E}a+ f(vi)) # vi} 


1 t 
S--S 
2 2q 
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_ q-t 3 

= u(1— 0( 2p \ Tra) ale 
q-t | 3 

< 2(1 ( 2Bt \ mr(r+ 5) a 


This probability could be also closed to 0 if we choose the parameter 6./m and 5 
small enough. Therefore the probability of decryption error of the LWE cryptosystem 
for general disturbance could be made very small, which leads to high security. 


Example 4.5.1 Lett = 2,g =5,/=1,m=1,r = 1,5 = 1077, 8 = 107,veZ 
is uniformly chosen at random, the disturbance E is a random variable with the 


distribution yg such that P{E = k} = feb for positive integer k and Pr{E = 
0} =e-F, a € {-1,0, 1} is uniformly chosen at random. Then the probability of 


decryption error 


Pr{F-'(Ea+ F(v)) £v} = Pr {15 (z0 + BM = r} 


_!>p 2m 0 iB 2E 2 1 
=a ate al # \+5 r U5 at+2)|F4 


< SPE 40) + 5 PME £0} 


=1-Pr{E=0}=1 ge et < 107, 


On the other hand, 


q-t 3 3 
21(1 - o/ re eae 5)) +18 > 107, 
So it follows that 
= 3 
Pr{F“(Ea + F(v)) £v} < 2u(1 (TF | z 5)) +18, 


The inequality in Theorem 4.5.1 holds. 


Example 4.5.2 Lett = 2,g =5,1 =1,m=1,r =1,6 = 107*,A = 0.05, v € Zy 
is uniformly chosen at random, the disturbance E is a Laplace distribution variable 


|x| 


with probability density function f(x) = xe » rounding to the nearest integer, a € 
{—1, 0, 1} is uniformly chosen at random. Similarly as Example 4.5.1, the probability 
of decryption error 
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Pr{F-'(Ea+ F(v)) £v} = Pr {5 (z0 + My = r} 


Nie 


1 _ut 10 4 
<1-Pr{E=0js=1- | —e +tdx=e < 10". 
2r 
1 
3 


On the other hand, 


q-t 3 
2pt \ mrir+ 1) 


2(1 - &( )) +16 > 10~. 


We have 


q-t 3 
2Bt \ mr(r+ 5) aes 


Pr{F-1(Ea + F(v)) # v} < (1 o( 


The inequality in Theorem 4.5.1 holds. 
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Chapter 5 ®) 
Cyclic Lattices and Ideal Lattices cro 


Cyclic lattices and ideal lattices were introduced by Micciancio (2002), Lyuba- 
shevsky and Micciancio (2006), respectively, which play an efficient role in Ajtai’s 
construction of a collision-resistant Hash function and in Gentry’s construction of 
fully homomorphic encryption (Gentry, 2009a). Let R = Z[x]/ < $(x) > be aquo- 
tient ring of the integer coefficients polynomials ring, Lyubashevsky and Micciancio 
regarded an ideal lattice as the correspondence of an ideal of R, but they neither 
explain how to extend this definition to whole Euclidean space R”, nor exhibit the 
relationship of cyclic lattices and ideal lattices. In this chapter, we regard the cyclic 
lattices and ideal lattices as the correspondences of finitely generated R-modules, so 
that we may show that ideal lattices are actually a special subclass of cyclic lattices, 
namely cyclic integer lattices. It is worth noting that we use more general rotation 
matrix here, so our definition and results on cyclic lattices and ideal lattices are 
more general forms. As application, we provide cyclic lattice with an explicit and 
countable upper bound for the smoothing parameter. Our results may be viewed as 
a substantial progress in this direction. 


5.1 Some Basic Properties of Lattice 


At the beginning of Chap. 1, we have introduced the definition of lattice in R”. A 
lattice is actually a discrete additive subgroup. In this section, we mainly give some 
properties of lattice that will be used later in this chapter. 


Lemma 5.1.1 Let L C R" be a lattice, 0), 02,...,Qm € L bem vectors of L. Then 
1, 02, ..., @m» are linearly independent over R, if and only if they are linearly inde- 
pendent over Z. 


Proof If a), a2, ..., @m are linearly independent over R, trivially which are linearly 
independent over Z. Suppose that a}, @2,...,@m are linearly independent over Z, 
we consider arbitrary linear combination over R. Let 


AQ) + A202 + +++ + Anem = O, (5.1.1) 
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We should prove (5.1.1) is equivalent to a; = az = --- = @», = 0, which implies that 
G1, Q2,..., @» are linearly independent over R. 

By Minkowski’s Third theorem (see theorem VII of Cassels (1963)), for any suffi- 
ciently large N > 1, there are a positive integer g > | and integers p), p2,..., Dm € 
Z such that 

max |qai— pil<No™, 1<q<QN. (5.1.2) 


By (5.1.1), we have 


| picy + P22 Se Pm&m| 
= |(qa, — pi)oy + (Gaz — pr)otg + +++ + (Gam — Pm)On| 


1 
<mN~™ max |aj|. (5.1.3) 
l<i<m 


Let A be the minimum distance of L, € > 0 be any positive real number. We select 
N such that 
m\™ 7mym 
> max | (™) : (=) max xl" 
€ ny l<i<m 


It follows that mN~m < € and 


1 
mN~™ max |aj| <A. 
l<i<m 


By (5.1.3) we have 
| pid + pra2 + +--+ Pmom| <A. 


Since Pi, + preg +++ + Pm&m € L, thus we have pia + pra +++ Pm lm = 
0, and py = p2 = +--+ = Pm = 0. By (5.1.2) we have g|a;| < +e foralli, 1 <i<m. 
Since ¢ is sufficiently small positive number, we must have aj = dz = --- =a, = 0. 
We complete the proof of lemma. 


Suppose that B € R’*” is ann x m dimensional matrix and rank(B) = m, B’ 
is the transpose of B. It is easy to verify 


rank(B’ B) = rank(B) = m => det(B’ B) £0, 
which implies that B? B is an invertible square matrix of m x m dimension. Since 
B’B is a positive defined symmetric matrix, then there is an orthogonal matrix 


P € R”*"” such that 


P" B' BP = diag{61, 52,..., dm}, (5.1.4) 
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where 6; > 0 are the characteristic value of B? B, and diag{d,, 52,..., 5} is the 
diagonal matrix of m x m dimension. 


Lemma 5.1.2 Suppose that B € R"*” with rank(B) =m, 61, 63,...,5m are m 
characteristic values of B™ B, and (L(B)) is the minimum distance of lattice L(B), 
then we have 
M(L(B)) = min |Bx|> V5, (5.1.5) 
xeZ”, xA0 


where 6 = min{6,, d2,..., dm}. 


Proof Let A = B' B, by (5.1.4), there exists an orthogonal matrix P € R”* such 
that 
P’ AP = diag{5, 52,..., Sm}. 


If x € Z”", x # 0, we have 


x =X X=X x 
Bx|?=x7A TP(P’AP)P" 
= (P' x)" diag{6,, 52,...,5m}P'x 
> 5|P?x/? = d|x|?. 


Since x € Z” and x ¢ 0, we have |x|? > 1, it follows that 


min |Bx| > V8\x| > V8. 


xeZ™, x 


We have lemma 5.1.2 immediately. 


Another application of lemma 5.1.2 is to give a countable upper bound for smooth- 
ing parameters in Sect.5.4. A sublattice N of L means a discrete additive subgroup 
of L, the quotient group is written by L/N and the cardinality of L/N is denoted by 
|L/N|. 


Lemma 5.1.3 Let L C R" bealatticeand N C L bea sublattice. If rank(N) =rank 
(L), then the quotient group L/N is a finite group. 


Proof Let rank(L) = m, and L = L(B), where B € R”*” with rank(B) = m. We 
define a mapping o from L to Z” by o(Bx) = x. Clearly, o is an additive group 
isomorphism, 0(N) Cc Z” is a full-rank lattice of Z”, and L/N = Z /o(N). Itisa 
well-known result that 

|Z" /o (N)| = det(a (N)), 


It follows that 
|L/N| = |Z" /o(N)| = det(o(N)). 


Lemma 5.1.3 follows. 
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Suppose that L; C R", Ly C R” are two lattices of R”, we define L; + Ly = {a+ 
bla € Li, b € La}. Obviously, L; + Lo is an additive subgroup of R”, but generally 
speaking, L, + L> is not a lattice of R” again. 


Lemma 5.1.4 Let L; C R", L2 C R" be two lattices of R". Ifrank(L, 0 Lz) =rank 
(L1) or rank(L; N L2) =rank(L2), then L, + L is again a lattice of R". 


Proof To prove L; + Lz is a lattice of R", it is sufficient to prove L; + L2 is a 
discrete subgroup of R”. Suppose that rank(Z, M Lz) =rank(L,), for any x € Ly, 
we define a distance function p(x) by 


p(x) = inf(lx— yl] y #x, y € Lo). 


Since there are only finitely many vectors in Lz MN N(x, 6), where N(x, 5) is any a 
ball of center x with radius 5. Therefore, we have 


p(x) = min{|x — yl Jy #x, yeLloy}=d, > 0. (5.1.6) 
On the other hand, if x; € Ly, x2. € L; and x; — x2 € Lo, then there is yp € Lz such 
that x; = x2 + yo, and we have o(x;) = e(x2). It means that p(x) is defined over 
the quotient group L; + L/L. Because we have the following group isomorphic 
theorem 
Ly + Lo/Lz = 11/L, 9 Lo, 
By lemma 5.1.3, it follows that 


[Ly + Lo/Lo| = |£1/L1N L2| < ~, 


In other words, L; + L2/Lz is also a finite group. Let x;, x2,..., x, be the repre- 
sentative elements of L; + L2/L2, we have 


min |x —y| = min p(x;) > min{A;,,Ax,,..., Ax} > 0. 
xeL,yelz,x#y QS 


Therefore, L; + L> is a discrete subgroup of R", thus it is a lattice of R”. 


Remark 5.1.1. The condition rank(L; 9 L2) = rank(ZL) or rank(L, M L2) = rank 
(L>) in lemma 5.1.4 seems to be necessary. As a counterexample, we see the real 
line R, let L; = Z and L, = /2Z, then L,; + L; is not a discrete subgroup of R, 
thus L; + L» is not a lattice in R. Because L, + Lo = {n+ V2m|n Ee Z,me Zhis 
dense in R by Dirichlet’s theorem (see theorem I of Cassels (1963)). 

As a direct consequence, we have the following generalized form of lemma 5.1.4. 


Lemma 5.1.5 Let L, Lo,..., Lm be m lattices of R" and 


rank(L; 1 L2+--OL,) = rank(L;) for some 1 < j <m. 


5.2 Ideal Matrices 123 


Then Lj + Lo +-+--+ Ly is a lattice of R". 


Proof Without loss of generality, we assume that 
rank(L; 0 L29---A Lm») = rank(L,,). 
Let L} + Lo +---+L,_) = L’, then 
L' + L/L! = Lm/L' O Lm. 


Since rank(L'’N L,,) =rank(L,,), by lemma 5.1.4, we have L’ + Ly, = L; + Ly + 
--- +L, is a lattice of R” and lemma 5.1.5 follows. 


5.2 Ideal Matrices 


In Chap. 3 we introduced the concept of circulant matrix and some related properties. 
In this section, we generalize them to general ideal matrix and introduce the properties 
of ideal matrix. By using the characteristic polynomial ¢(x) as modulo and the 
definition of g-convolutional product, we establish the ring isomorphism one-to-one 
correspondence between polynomial quotient rings and n dimensional vectors in R”. 

Let R[x] and Z[x] be the polynomial rings over R and Z with variable x, respec- 
tively. Suppose that 


b(x) = x" — bp_1x""| —--»— dix — bo € ZIx], bo #0 G21) 


is a polynomial with integer coefficients of which has no multiple roots in com- 
plex number field C. Let w), w2,..., wy be the n different roots of ¢(x) in C, the 
Vandermonde matrix Vg is defined by 


1 1 1 
Ww W2 eee Wn 

Ve=| . _ |, det(Vs) £0. (5.2.2) 
wt! ue wn? 


pi 


eZ", (5.2.3) 
Tn-1 


Pn—1 


nxn 
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where /,_; is the (7 — 1) x (n—1) unit matrix. Obviously, the characteristic 
polynomial of H is just @(x). We use column notation for vectors in R”. Let 


{€9, €],---, @n—1} be the standard basis of R”, see (5.1.2) in Chap. 3. 
So 
- i ; 
Definition 5.2.1 For any f = . € R", the ideal matrix generated by vector 
Sn-1 


f is defined by 
H*(f) =f, Hf, H7f,..., 4" | flaxn € R"™", (5.2.4) 


which is a block matrix in terms of each column H* f (O0<k <n-—1). Sometimes, 
f is called an input vector. In Chap. 3, we introduced the definition of circulant matrix. 
Itis easily seen that H*(f) is amore general form of the classical circulant matrix and 
r-circulant matrix (Shi, 2018; Yasin and Taskara, 2013). In fact, if (x) = x” — 1, 
then H*(f) is the ordinary circulant matrix generated by /. If ¢(x) = x” —r, then 
H*(f) is the r-circulant matrix. 


By (5.2.4), it follows immediately that 


H"(f +g) = H*(f) + H"(g), (5.2.5) 
and 
H* (Af) =AH*(f), VAER. (5.2.6) 
fo 
Specially, for any f = : € R", the ideal matrix H*(f) generated by f could 
Sn-1 


be written as 


n—-1 n—-1 
Hf H (x fe =) Eee, 


i=0 i=0 


which means that any ideal matrix is the linear combination of ideal matrices gener- 
ated by the standard basis vectors e;. It is easy to verify that 


H*(eo) = In, H*(@) = H*, 1<k<n-1, 


So the unit matrix J,, and rotation matrices H* (1 <k <n-—1) are all the ideal 
matrices. 

Moreover, H*(f) = 0 is a zero matrix if and only if f = 0 is a zero vector, thus 
one has H*(f) = H*(g) if and only if f = g. Let M* be the set of all ideal matrices, 
namely 

M* = {H*(f)| f € R’}. (5.2.7) 
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We may regard H* as a mapping from R” to M* of which is a one-to-one corre- 
spondence. Next we show some basic properties for ideal matrix, and more contents 
could be found in Zheng et al. (2022a). 


Lemma 5.2.1 For any f € R", we have 
H-H*(f) = H°(f)- A. (5.2.8) 


Proof Since ¢(x) = x" — gn x"! —--- — bx — oo is the characteristic polyno- 
mial of H, by Hamilton—Cayley theorem, we have 


H" = boln + Oi +--+ ¢,1H" |. 


1 


By (5.2.4) we have 


H*(f)H =[f, Hf... H""'f] ie ) 
HAP AP fs HG bof + Hf tot bef 
=[Hf,H’f,...,H" 'f, H"f] 
= Hf, Hf,.... H""'f|=H-H*(f), 


The lemma follows. 


fo 
1 
Lemma 5.2.2 For any f = F € R" we have 
Sn-1 
H*(f) = foln t+ fH +--+ fr". (5.2.9) 


Proof We use induction on n to show this conclusion. If = 1, it is trivial. Suppose 
it is true for n, we consider the case of n + 1. For this purpose, we write H = H,,, 


€0, 1, «++, €n—1 the n column vectors of unit in R”, namely 
1 0 0 
1 0 
eo= 5EU = An = 
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_ (0 Ao 
Ain+1 = (C a) ’ 


where Ap = (0, 0, ..., 69) € R” is a row vector. For any k, 1 < k <n —1, it is easy 
to check that 


and 


A Hk! 
Aynex—1 = ek, Hkey = e& and Hi, = (.° aah ). 


x1 Hy 
fo 
fi 
Let f=| : | €R"t!, we denote f’ by 
Sn-1 
Stn 
fi 
hr fi 
Bes R", = ') 
: r=(j 
tn 


By the assumption of induction, we have 


Ax(f’) = eae Hi f', sees Sigma | = Siln te So An Be ee a in, 


Ay (Pf) = i) ’ An+1 2) ee) i hen ()| 


= folnt+ fila te + fol. 


it follows that 


We complete the proof of lemma 5.2.2. 


Lemma 5.2.3 Let f(x) = fot fix +--+ fn—ix"! € R[x], then we have 
H*(fp= V, ‘diag{ f(w1), f(w2), 5 f(wi)} Ve, (5.2.10) 


where diag{ f (w,), f(w2), ..., f(Wy)} is the diagonal matrix. 


Proof By theorem 3.2.5 of Davis (1994), for H, we have 


H = V, ‘diag{w, w2, ..., Wn} Vo, 
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By lemma 5.2.2, it follows that 


H*(f) = Vy" diag {f (wi), f (wa), 5 f (Wn) }Vo- 


Now, we summarize some basic properties for ideal matrix as follows. 


Lemma 5.2.4 Suppose $(x) € Z[x] is a polynomial of which has no multiple roots 
in complex number field C. f € R", g € R" be two column vectors, we have 


(i) H*(f)H*(g) = H*(g)H*(f); 
(ii) H*(f)H"(g) = H*(A*(f)g); 
(iii) det(H*(f)) = Nj) f(a; 
(iv) H*(f) is an invertible matrix if and only if ¢(x) and f (x) are coprime, i.e. gcd 
((x), f(x) = 1. 


Proof (i) and (ii) follow from lemma 5.2.2 immediately, (iii) and (iv) follow from 
lemma 5.2.3. 


In Sect. 3.1, we took the characteristic polynomial x” — 1 as modulo and con- 
structed the one-to-one correspondence between polynomial quotient rings and n 
dimensional vectors. Now we can generalize it to the general case using characteris- 
tic polynomial ¢(x) as modulo. Let ¢(x)R[x] and ¢(x)Z[x] be the principal ideals 
generated by $(x) in R[x] and Z[x], respectively, we denote the quotient rings R 
and R by 

R = 2Z[x]/@()Z[x], R = R[x]/¢(~) R[x]. (5.2.11) 


There is a one-to-one correspondence between R and R” given by 


fo 
f(x) = fot fixt---+frix™ !eR<> f= : ER". (5.2.12) 
hei 
We denote this correspondence by f, that is 
t(f(x)) = f, Cf) = fF). (5.2.13) 


If we restrict ¢ in the quotient ring R, then which gives a one-to-one correspondence 
between R and Z”. First, we show that f is also a ring isomorphism. 


Definition 5.2.2. For any two column vectors f and g in R”, we define the ¢- 
convolutional product f * g by 


fxg =H*(f)g. (5.2.14) 
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By lemma 5.2.4, it is easy to see that 
feg=exf, and H"(f xg) = H*(f)H"(g). 
Lemma 5.2.5 For any two polynomials f (x) and g(x) in R, we have 
Hf (x)ge(x)) = H* (fg = f *g. (5.2.15) 
Proof Let g(x) = go + 1x +++: + 8)-1x""! € R, then 
x8 (x) = PoSn—1 + (80 + O1Bn—1)¥ +++ + (Bn—2 + Gn—-18n—1) "| 


it follows that 
t(xg(x)) = At(g(x)) = Hg. (5.2.16) 


Hence, for any 0 < k <n — 1, we have 
t(x*g(x)) = H*t(g(x)) = H*g, O<k <n. 
Let f(x) = fot fix +--+ fa_1x"7! © R, by lemma 5.2.2, we have 


n—-1 n—-1 


t(f(x)gx)) = > fit’ g(x) =o fig = A (fg. 


i=0 i=0 


The lemma follows. 


Lemma 5.2.6 Under $-convolutional product, R" is a commutative ring with iden- 
tity element ey and Z" C R" is its subring. Moreover, we have the following ring 
isomorphisms 

R=R"=M*, R=Z"= Mj, 


where M* is the set of all ideal matrices given by (5.2.7), and Mj is the set of all 


integer ideal matrices. 


Proof Let f(x) € R and g(x) € R, then 


(f(x) + g@)) = f +g =t(f@)) +t(gQ@)), 


and 


t(f(x)g(x)) = W*(f)g = f *¥g =t(f@)) *t(g@)), 


this means that is aring isomorphism. Since f * g = g * f andeg * g = H*(eo)g = 
I,g = g, then R” is a commutative ring with eg as the identity elements. Noting 
H*(f) is an integer matrix if and only if f € Z” is an integer vector, the isomor- 
phism of subrings follows immediately. 
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According to property (iv) of lemma 5.2.4, H*(f) is an invertible matrix whenever 
(f (x), 6(x)) = 1 in R[x], we show that the inverse of an ideal matrix is again an 
ideal matrix. 


Lemma 5.2.7 Let f(x) € R and (f (x), @(x)) = 1 in R[x], then 
(H*(f))"! = H*(u), 
where u(x) € R is the unique polynomial such that u(x) f (x) = 1 (mod $(x)). 


Proof By lemma 5.2.5, we have u * f = eo, it follows that 
A*(u)H*(f) = H*(eo) = Ih, 


thus we have (H*(f))~! = H*(u). It is worth to note that if H*(f) is an invertible 
integer matrix, then (H*(f))~' is not an integer matrix in general. 


Sometimes, the following lemma may be useful, especially, when we consider an 
integer matrix. 


Lemma 5.2.8 Let f(x) € Z[x] and (f (x), 6(x)) = Lin Z[X], then we have (f (x), 
o(x)) = 1 in R[x]. 


Proof Let Q be the rational number field. Since (f(x), é(x)) = 1 in Z[x], then 
(f (x), 6(x)) = 1 in Q[x]. We know that Q[x] is a principal ideal domain, thus there 
are two polynomials a(x) and b(x) in Q[x] such that 


a(x) f(x) + b@)b(x) = 1. 


This means that (f(x), @(x)) = 1 in R[x]. 


5.3. -Cyclic Lattice 


As we know that cyclic code plays a central role in algebraic coding theorem (see 
Chap. 6 of Lint (1999)). In Zheng et al. (2022a), we extended ordinary cyclic code 
to more general forms, namely $-cyclic codes, which will be introduced in Chap. 7. 
To obtain an analogous concept of @-cyclic code in R”, we note that every rotation 
matrix H defines a linear transformation of R” by x > Hx. 


Definition 5.3.1 H is the rotation matrix defined in (5.2.3). A linear subspace C C 
R" is called a d-cyclic subspace if Va € C > Ha € C. A lattice L C R" is called 
a @-cyclic lattice if Va ¢e L => Hae L. 


In other words, a @-cyclic subspace C is a linear subspace of IR”, of which is 
closed under linear transformation H. A ¢-cyclic lattice L is a lattice of R” of which 
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is closed under H. If @(x) = x” — 1, then A is the classical circulant matrix and 
the corresponding cyclic lattice was first appeared in Micciancio Micciancio (2002), 
but he does not discuss the further property for these lattices. To obtain the explicit 
algebraic construction of @-cyclic lattice, we first show that there is a one-to-one 
correspondence between @-cyclic subspaces of R” and the ideals of R. 


Lemma 5.3.1 Let t be the correspondence between R and R" given by (5.2.13), 
then a subset C C R" is a ¢-cyclic subspace of R", if and only if t~'(C) C R is an 
ideal. 


Proof We extend the correspondence t to subsets of R and R” by 
C(x) CR —> C = {e|e(x) € CX) CR". (5.3.1) 


Let C(x) C R be an ideal, it is clear that C C t(C(x)) is a linear subspace of R”. To 
prove C is a ¢-cyclic subspace, we note that if c(x) € C(x), then by (5.2.16) 


xc(x) € C(x) > At(c(x)) = Ac EC. 
Therefore, if C(x) is an ideal of R, then t(C(x)) = C isa o-cyclic subspace of R”. 
Conversely, if C C R” is a @-cyclic subspace, then for any k > 1, we have H*c € C 


whenever c € C, it implies 


Ye(x) € C(x) > x*c(x) € C(x), O0<k<n-l, 


which means that C(x) is an ideal of R. We complete the proof. 


By the above lemma, to find a @-cyclic subspace in R", it is enough to find an 
ideal of R. There are two trivial ideals C(x) = 0 and C(x) = R, the corresponding 
o-cyclic subspace are C = 0 and C = R". To find non-trivial @- ae subspaces, we 
make use of the homomorphism theorems, which is a standard technique in algebra. 
Let z be the natural homomorphism from R[x] to R, ker = $(x)R[x]. We write 
o(x)R[x] by < $(x) >. Let N be an ideal of R[x] satisfying 

< ¢(x) >C NCRiIx] —> R=RIx x]/<o(x)>. (5.3.2) 


Since R[x] is a principal ideal domain, then N =< g(x) > is a principal ideal gen- 
erated by a monic polynomial g(x) € R[x]. It is easy to see that 


< (x) >C< g(x) >> g(x)|o(x) in RE]. 
It follows that all ideals N satisfying (5.3.2) are given by 
{< g(x) > | g(x) € R[x] is monic and g(x)|¢(x)}. 


We write by < g(x) > mod ¢(x), the image of < g(x) > under 7, i.e. 
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< g(x) > mod (x) = m1(K« g(x) >). 
It is easy to check 


< g(x) > mod $(x) = {a(x)g(x) | a(x) € R[x] and dega(x) + degg(x) < n}. 
(5.3.3) 
more precisely, which is a representative elements set of < g(x) > mod $(x). By 
homomorphism theorem in ring theory, all ideals of R given by 


{< g(x) > mod ¢(x) | g(x) € R[x] is monic and g(x)|¢(x)}. (5.3.4) 


Let d be the number of monic divisors of (x) in R[x], we have the following lemma. 


Lemma 5.3.2. The number of $-cyclic subspace of R" is d. 


Proof By lemma 5.3.1, the correspondence between ¢-cyclic subspace of R" and 
ideal of R is one-to-one. Based on (5.3.4), the number of ideal of R is equal to the 
number of divisors of (x) in R[x], i.e. d. So the number of ¢-cyclic subspace of 
R" is d. 


Next, we discuss @-cyclic lattice, which is the geometric analogy of cyclic code. 
The @-cyclic subspace of R” maybe regarded as the algebraic analogy of cyclic code. 
Let the quotient rings R and R given by (5.2.11). A R-module is an Abel group A 
such that there is an operator Aw € A forall A € Randa é€ A, satisfying 1-a =a 
and (A,A2)a = A, (A2a@). It is easy to see that R is a R-module, if A C R and A is 
a R-module, then A is called a R-submodule of R. All R-modules we discuss here 
are R-submodule of R. On the other hand, if J C R, then / is an ideal of R, if and 
only if J is a R-module. Let a € R, the cyclic R-module generated by a be defined 
by 

Ra = {ra |r € R}. (5.3.5) 


If there are finitely many polynomials a, @2,..., a, in R such that 
A = Ra, + Rag +---+ Rag, 
then A is called a finitely generated R-module, which is a R-submodule of R. 
Now, if L C R" is a @-cyclic lattice, g € R”, H*(g) is the ideal matrix generated 
by vector g, and L(H*(g)) is the lattice generated by H*(g). In the following lemma, 
we prove that any L(H*(g)) is a @-cyclic lattice and 


gEeL=>L(A*(g)) CL, (5.3.6) 


which implies that L(H*(g)) is the smallest @-cyclic lattice of which contains vector 
g. Therefore, we call L(H*(g)) is a minimal ¢-cyclic lattice in R”. 
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Lemma 5.3.3 For any vector g € R", then L(H“*(g)) is a@-cyclic lattice. Moreover, 
if L C R" is a ¢-cyclic lattice and g € L, then we have L(H*(g)) C L. 


Proof Leta € H*(g), then there is an integer vector b € Z” such that a = H*(g)b. 
By lemma 5.2.2, we have 


a= gol,b+g,;Hb+---+ gn-1H"—'b 


and 
Hot = (gon + 81H +++ + 8,1" ')Hb = H*(g)Hb. 


Since Hb € Z", it follows that Ha € L(H*(g)). This means that L(H*(g)) is a g- 
cyclic lattice. If L is a @-cyclic lattice and g € L, then H'g € LforO0 <k <n—1, 


and 
bo 


bong +b,Hg +---+bn,1H" 'g €L, forallb = . [eZ 


It follows that 
H*(b)g = H*(g)be L, be Z’. 


Thus we have L(H*(g)) C L, and lemma 5.3.3 holds. 


Lemma 5.3.4 There is a one-to-one correspondence between the minimal @-cyclic 
lattice in IR” and the cyclic R-submodule in R, namely 


t(Rg(x)) = L(H*(g)), forall g(x) eR 


and 
t!(L(A*(g))) = Rg(x), forall g € R". 


Proof Let b(x) € R, by lemma 5.2.5, we have 

t(b(x)g(x)) = H*(b)g = H*(g)b € L(H*(g)), 
and t(Rg(x)) C L(A*(g)). Conversely, if a € L(H*(g)), and a = H*(g)b for 
some integer vector b, by lemma 5.2.5 again, we have b(x)g(x) € Rg(x), and 
t (b(x)g(x)) = a. This implies that 


L(H*(g)) c t(Rg(x)), 


and 
t(Rg(x)) = L(A*(g)). 


The lemma follows immediately. 
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Suppose L = L(fj, fo,..., Bm) is arbitrary ¢-cyclic lattice, where B = [f), 


Bo, .--, Bm|nxm is the generated matrix of L. L may be expressed as the sum of 
finitely many minimal ¢-cyclic lattices, in fact, we have 


L = L(H*(6))) + L(A*(B2)) + +++ + LCA" (Bm)). (5.3.7) 


To state and prove our main results, first, we give a definition of prime spot in R”. 


Definition 5.3.2 Let g <¢ R”, and g(x) =f" !(g) € R. If (g(x), o(x)) = 1 in R[x], 
we call g is a prime spot of R”. 

By (iv) of lemma 5.2.4, g € R” is a prime spot if and only if H*(g) is an invertible 
matrix, thus the minimal ¢-cyclic lattice L(H*(g)) generated by a prime spot is a 
full-rank lattice. 


Lemma 5.3.5 Let g and f be two prime spots of R", then L(H*(g)) + L(A*(f)) 
is a full-rank @-cyclic lattice. 


Proof According to lemma 5.1.4, it is sufficient to show that 
rank(L(H*(g)) L(H*(f))) = rank(L(H*(g))) =n, (5.3.8) 
In fact, we should prove in general 
L(H*(g)- H"(f)) C L(A*(g)) VL(A*(f)). (5.3.9) 
If (5.3.9) holds, since H*(g) - H*(f) is invertible matrix, then 
rank(L(H*(g)- H*(f))) =n, 
(5.3.8) holds. To prove (5.3.9), we note that 
L(H"(g)- H"(f)) = L(A*(g * f)), 


It follows that 
t'(L(H*(g)- H*(f))) = Re(x) f(x), 


It is easy to see that 
Rg(x) f(x) C Rg) ORF). 


Therefore, we have 


L(A*(g)- H*(f)) = t(Rg@)f)) C L(A*(g)) 0 L(A*(f)). 


This is the proof of lemma 5.3.5. 
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It is worth to note that (5.3.9) is true for more general case and does not need the 
condition of prime spot. We have the following lemma. 


Lemma 5.3.6 Let 8), 62,..., Bm be arbitrary m vectors in R", then we have 


L(H*(B)) H* (Bz) +++ A*(Bm)) C LCH*(B1)) 0 LC" (B2)) 1+ +» 1 LC® (Bm). 
(5.3.10) 


Proof If 61, Bo, ..., Bm are integer vectors, then (5.3.10) is trivial. For the general 
case, we write 


L(A*(B,) » H* (Bo) --- A*(Bm)) = L(A* (Bi * Bo *--* * Bm), 
where 6 * Bo * --- * B,, is the @-convolutional product defined in (5.2.14), then 
t~'(L(H*(B1) +++ H*(Bm))) = RBi (x) B2(x) ++ + Bn (x). 


Since 


RBj (x) B2(X) ++ Bm(&®) C RB) O RB2(X) +O RBm@), 


It follows that 


L(H*(B,) H* (Bz) +++ A*(Bm)) C LCH*(B1)) 0 LH" (Bo)) 1+» LC® (Bm). 


We have this lemma. 


By lemma 5.3.5, we also have the following corollary. 


Corollary 5.3.1 Let 6), B2,..., Bm be m prime spots of R", then L(H*(B,)) + 
L(A*(B2)) +--+ + LCA*(By,)) is a full-rank $-cyclic lattice. 


Proof Based on lemma 5.1.5, it follows immediately from lemma 5.3.5. 


Our main result in this paper is to establish the following one-to-one correspon- 
dence between @¢-cyclic lattices in R” and finitely generated R-modules in R. 


Theorem 5.3.1 Let A = Raj(x) + Raz(x) +--+ + Ram (x) be afinitely generated 
R-module in R, then t(A) is a @-cyclic lattice in R". Conversely, if L C R" is a o- 
cyclic lattice in R", then t~|(L) is a finitely generated R-module in R, that is a 
one-to-one correspondence. 


Proof If A isa finitely generated R-module, by lemma 5.3.4, we have 


t(A) = t(Ray(x) +--+ + Rom (x)) 
= L(H*(a))) + L(H*(a@2)) + +--+ L(A" (Gm). 


The main difficult is to show that ¢ (A) is a lattice of R”, we require a surgery to embed 
t(A) into a full-rank lattice. To do this, let (a; (x), @(x)) = d;(x), dj(x) € Z[x], and 
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B(x) = a; (x)/d;(x), 1 <i < m. Since ¢(x) has no multiple roots by assumption, 
then (6;(x), @(x)) = | in R[x]. In other words, each t(8;(x)) = ; is a prime spot. 
It is easy to verify Ra; (x) C R6;(x) 1 <i < m), thus we have 


(A) C L(H*(B\)) + L(H*(B2)) + ++- + LCA" (Bn). 


By corollary 5.3.1, we have t(A) is ¢-cyclic lattice. Conversely, if L C R” is a 
o-cyclic lattice of R”, and L = L(f, Bo, ..., Bm), by (5.3.7), we have 


t'(L) = RB\(x) + RBo(x) +--+ + RBn (x), 


which is a finitely generated R-module in R. We complete the proof of theorem 5.3.1. 


Since R is a Noether ring, then J C R is an ideal if and only if J is a finitely 
generated R-module. On the other hand, if J C R is an ideal, then t(/) C Z" isa 
discrete subgroup of Z”, thus f (J) is a lattice. We give the following definition. 


Definition 5.3.3 Let J C R be an ideal, t(/) is called the ¢-ideal lattice. 

Ideal lattice was first appeared in Lyubashevsky and Micciancio (2006), and more 
contents could be found in Zheng et al. (2022a). As a direct consequence of theorem 
5.3.1, we have the following corollary. 


Corollary 5.3.2 Let L C R" be a subset, then L is a ¢-cyclic lattice if and only if 
L = L(A*(B))) + L(A" (B2)) +--+ + LCA" (Bm)), 


where B; € R" andm <n. Furthermore, L is a ¢-ideal lattice if and only if every 
BE Z",1<icm. 


Corollary 5.3.3 Suppose that $(x) is an irreducible polynomial in Z[x], then any 
nonzero ideal I of R defines a full-rank -ideal lattice t(1) C Z". 


Proof Let I C R be a nonzero ideal, then we have J = Raj (x) + Rag(x) +--+ + 
Ra (x), where a;(x) € R and (a;(x), @(x)) = 1. It follows that 


t(1) = L(H*(a)) + L(A*(a2)) + +++ + L(A" (Gn). 


Since each a; is a prime spot, we have rank(t(/)) =n by corollary 5.3.1, and the 
corollary follows at once. 


We have proved that any an ideal of R corresponding to a ¢-ideal lattice, which 
just is a d-cyclic integer lattice under the more general rotation matrix H = Hg. 
Cyclic lattice and ideal lattice were introduced in Lyubashevsky and Micciancio 
(2006) and Micciancio (2002), respectively, to improve the space complexity of 
lattice-based cryptosystems. Ideal lattices allow to represent a lattice using only two 
polynomials. Using such lattices, class lattice-based cryptosystems can diminish 
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their space complexity from O(n?) to O(n). Ideal lattices also allow to accelerate 
computations using the polynomial structure. The original structure of Micciancio’s 
matrices uses the ordinary circulant matrices and allows for an interpretation in terms 
of arithmetic in polynomial ring Z[x]/ < x” — 1 >. Lyubashevsky and Micciancio 
latter suggested to change the ring to Z[x]/ < (x) > with an irreducible (x) 
over Z[x]. Our results here suggest to change the ring to Z[x]/ < @(x) > with 
any a polynomial @(x). There are many works subsequent to Lyubashevsky and 
Micciancio, such as Micciancio and Regev (2009); Peikert (2016). 


Example 5.1 It is interesting to find some examples of ¢-cyclic lattices in an alge- 
braic number field K. Let Q be rational number field, without loss of generality, an 
algebraic number field K of degree n is just K = Q(w), where w = w; is a root of 
(x). If all Q(w;) CR (1 <i <n), then K is called a totally real algebraic number 
field. Let Ox be the ring of algebraic integers of K, and J C Ox be an ideal, J 4 0. 
Since there is an integral basis {a,, @2,...,@,} C I such that 


I = Za, + Zan+---+ Zan, 


We may regard every ideal of Ox as a lattice in Q”, our assertion is that every nonzero 
ideal of Ox is corresponding to a full-rank ¢-cyclic lattice of Q”. To see this example, 


let “y 
Qlw] = [Saw | 4; <0}, 
i=0 


It is known that K = Q[w], thus every a € K corresponds to a vector a € Q” by 


Qn-1 


If J C Ox is an ideal of Ox and J = Za; + Zarz+---+Za,, let B= [ay, 
@2,..., A] € Q"*", which is full-rank matrix. We have t(J) = L(B) is a full- 
rank lattice. It remains to show that t(/) is a @-cyclic lattice, we only prove that 
ifa ¢ 1 > Ha € (J). Suppose that a € J, then wa € J. It is easy to verify that 
T(w) = e; and 

T(wa) = T(w) * T(a) = Hae t(/). 


This means that t(/) is a @-cyclic lattice of Q”, which is a full-rank lattice. 
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5.4 Improved Upper Bound for Smoothing Parameter 


As application of the algebraic structure of @-cyclic lattice, we show that an explicit 
upper bound of the smoothing parameter for the ¢-cyclic lattices. The definition of 
smoothing parameter was introduced in Chap. 1. Suppose that L is a full-rank lattice 
and L* is its dual lattice, for any € > 0, we define the smoothing parameter 7, (L) of 
L to be the smallest s such that »;/;(L*) < 1+ €, here p is the Gauss function, 


Slx—el? 


Ps,c(x) =e » Ps(X) = Pso(x), x € R’. 


Notice that 1/;(L*) is a continuous and strictly decreasing function of s, thus the 
smoothing parameter 7, (L) is a continuous and strictly decreasing function of €, i.e. 


Ne (L) < He (L), if0 <6 <«. 


The following lemma shows the relation of smoothing parameters between a lattice 
and its sublattice. 


Lemma 5.4.1 Suppose that L, and L» are two full-rank lattices in R", and L, C Lo, 
then for any € > 0, we have 
Ne(L2) < ne(L1). (5.4.1) 


Proof Let n-(L1) = s, we are to show that n.(L2) < s. Since 
Pijs(L}) =1 +e, 
i.e. 
Soe mite. 


xeLt 


It is easy to check that L3 C Lj, it follows that 


l+e = y ented? > » ents xP 
—_ a ’ 


xeLi xeL3 


which implies 
Pijs(L3) <1 +e, 


and n.-(L2) < s = ne(L1), thus we have lemma 5.4.1. 


According to (5.2.4), the ideal matrix H*(f) with input vector f € R” is just the 
ordinary circulant matrix when ¢(x) = x” — 1. Next lemma shows that the transpose 
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80 
81 
of a circulant matrix is still a circulant matrix. For any g = : € R", we denote 
8n-1 
8n-1 
8n-2 
z= . |, which is called the conjugation of g. 
80 
80 
81 
Lemma 5.4.2 Let d(x) = x” — 1, then for any g = . € R", we have 
8n-1 
(H*(g))" = H*(H8). (5.4.2) 


Proof Since @(x) = x" — 1, then H = Hg is an orthogonal matrix, and we have 
H-' =H"! =H". We write H} = H’ = H™'. The following identity is easy to 
verify 

<T 

g Ay 

: gH? 
A") = : 

aH} 
It follows that 


(H*(g))’ = (Hg, H(H@),..., H"-'(Hg)] = H*(H@), 


and we have the lemma. 


Lemma 5.4.3 Let (x) = x” — 1, suppose that g € R" and the circulant matrix 
H* (g) is invertible. Let A = (H*(g))’ H*(g), then all characteristic values of A are 
given by 

{lg@)I?, 1g @2)??, ---. 1¢@n I", 


where 6? = 1 (1 <i <n) are the n-th roots of unity. 
Proof By lemma 5.4.2 and (ii) of lemma 5.2.4, we have 


A = H*(Hg)H*g = H*(H*(H2)g) = H*(g"), 
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where g” = H*(H@)g. Let g"(x) = t~!(g”) is the corresponding polynomial of g”. 
By lemma 5.2.3, all characteristic values of A are given by 


{g"(1), 8" (02),---8"(On)}, OF =1, L<i<n. 


&0 
&1 : 

Let g = . € R”. It is easy to see that 

&n-1 
n—-1 n—-1 n—-1 
s(@)= og t (x ans) Xpeeet (x ase x"! = |g(x)/’, 

i=0 i=0 i=0 

where g_; = g,-; forall 1 < i <n — 1, then the lemma follows at once. 


By the definition of prime spot, if g € R” is a prime spot, then there is a unique 
polynomial u(x) € R such that u(x)g(x) = 1 (mod ¢(x)). We define a new vector 
T, and its corresponding polynomial T,(x) by 


i= ha, 1) St Ga): (5.4.3) 


If g € Z” is an integer vector, then T, € Z" is also an integer vector, and T,(x) € Z[x] 
is a polynomial with integer coefficients. Our main result on smoothing parameter 
is the following theorem. 


Theorem 5.4.1 Let (x) = x" —1, L C R" bea full-rank ¢-cyclic lattice, then for 
any prime spots g € L, we have 


m-(L) < Jn(min{|T, 1), [Ty(O2)1, «+. |Z (OndIN)'s (5.4.4) 


where 6? = 1, 1 <i <n, and T, (x) is given by (5.4.3). 


Proof Let g € L bea prime spot, by lemma 5.4.1, we have 
L(H*(g)) CL => ne(L) < ne(L(H"(g))), Ve > 0. 


To estimate the smoothing parameter of L(H*(g)), the dual lattice of L(H*(g)) is 
given by 


L(H*(g))* = L(H*(u))") = L(A*(H)) = L(A*(T,)), 


where u(x) € R and u(x)g(x) = 1 (mod x” — 1), and T, is given by (5.4.3). Let 
A= ry a by lemma 5.4.3, all characteristic values of A are 


{|Ty (1) 17, [Ty (02) 17, -- +5 [Te (On)17}- 
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By lemma 5.1.2, the minimum distance 4;(L(H*(g))*) is bounded by 

Ai (L(H*(g))*) > min{|T, (61)|, |T,(2)|, --- |Z (On) }- (5.4.5) 
According to the classical estimation of upper bound of smoothing parameter 


no-n(L) < Vn/Ai(L*), 


we see that theorem 5.4.1 holds. 


Let L = L(B) be a full-rank lattice and B = [6), Bo, ..., 6,]. We denote by 
B* = [BY, B5,..., Bz] the Gram-Schmidt orthogonal vectors {6*} of the ordered 
basis B = {f;}. It is a well-known conclusion that 


> |B*| = mi * 
Ai(L) 2 |B" ee 1 i 


and 


No-n(L) < J/n/A(L*), 
so we get the following upper bound 
mo-n(L) < Jnl Be|-!, (5.4.6) 


where Bo is the orthogonal basis of dual lattice L* of L. 
For a ¢-cyclic lattice L, we observe that the upper bound (5.4.5) is always better 
than (5.4.6) by numerical testing, we give two examples here. 


Example 5.2 Let n = 3 and $(x) = x? — 1, the rotation matrix H is 


001 
H=1{100 
010 


We select a ¢-cyclic lattice L = L(B), where 


111 
B=|011 
001 


Since L = Z,, thus L is a p-cyclic lattice. It is easy to check 


V3 
|Bo| min, |; 3 
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On the other hand, we randomly find a prime spot 


and g(x) = x”, since 
xg(x) = 1 (mod x? — 1), 


we have 
T(x) = x’, 


it follows that 
|T,(91)| = |T,(@2)| = |T,(63)| = 1, 


—l 
: : < *y— 1) _ : 
(,min, 7.1) <|Bo|"! = V3 


Example 5.3 Let n = 4 and $(x) = x* — 1, the rotation matrix H is 


0001 
1000 
0100 
0010 


H= 


We select a d-cyclic lattice L = L(B), where 


1111 
O1ll 
0011 
0001 


Since L = Z/, thus L is a $-cyclic lattice. It is easy to check 


|Bo| = min |6;| = - 
OS tere om 


On the other hand, we randomly find a prime spot 
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and g(x) = x — 2, since 


we have 


it follows that 
5 
|T,(A1)| = 1, |T,(2)| = [Tz (63) | = |T, (@4)| = 7 


and 


min |T,(6;)| ay ee, 
1<i<4 gi 5 0 . 
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Chapter 6 M®) 
Fully Homomorphic Encryption cert is 


In 1978, Rivest et al. (1978) proposed the concepts of data bank and fully homo- 
morphic encryption. Some individuals and organizations encrypt the original data 
and store them in the data bank for privacy protection. Data bank is also called data 
cloud. Therefore, the cloud stores a large amount of original data, which is obvi- 
ously a huge wealth. How to use these data effectively? First of all, we must solve 
the problem of calculation of these encrypted data, which is called a privacy calcu- 
lation problem. Rivest, Adleman and Dertouzos conjecture that if all data is fully 
homomorphic encryption, that is, the addition and multiplication of ciphertext are 
homomorphic to the corresponding addition and multiplication of plaintext, then the 
encrypted data can be effectively computed by elementary calculation without chang- 
ing the structure of the plaintext data (under the condition of homomorphism). The 
RAD conjecture has been proposed for more than 30 years, but no one could solve 
this problem since the cryptographic structure of the fully homomorphic encryption 
system is too complicated. In 2009, C. Gentry, a computer scholar at Stanford Uni- 
versity, first proposed a fully homomorphic encryption scheme in Gentry (2009b) 
based on ideal lattice, for which he won the 2022 highest award in theoretical com- 
puter science—the Godel Award. Based on Gentry’s work, the second and third fully 
homomorphic encryption schemes based on LWE distribution and trapdoor matrix 
technology have also been proposed; see Brakerski and Vaikuntanathan (201 1a), 
(201 1b), (2012), (2014), (2015) and Gentry et al. (2013) in 2013. The main purpose 
of this chapter is to systematically analyze and discuss the above three fully homo- 
morphic encryption techniques, in order to understand the latest research trends of 
the post-quantum cryptography. 
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6.1 Definitions and Examples 


Let R; be the plaintext space, R2 be the ciphertext space, R be the keyspace. For 
SER, 


-—l 
Rea Re Re eR: 


we call f, the encryption function under the key s, and f.! is called the decryption 
function. In mathematical cryptosystem, f, is injective so that f.! is the left inverse 
mapping of f,, i.e. f-' f, = 1r,, which guarantees decrypting plaintext successfully 
with probability 100%. However, in probabilistic cryptosystem, f, is not an injective 
mapping, while the probability of f—' being a left inverse mapping should be close 
enough to 1, ie. 

Pri fo! fs = 1r,} > 1-6, V6 > 0. 


Hash function is a classic probabilistic cryptosystem. The phenomenon that two 
plaintexts are encrypted into the same ciphertext, in other words, one ciphertext 
could be decrypted into two plaintexts, is called a collision. If the probability of 
collision is small enough, then it is called an anti-collision Hash function. The cryp- 
tosystem constructed by the anti-collision Hash function is the mainstream algorithm 
of probabilistic cryptography. No matter mathematical or probabilistic cryptosystem, 
we treat the decryption transformation f.' as the left inverse mapping of f,, but it 
is only an equality with high probability. 

-1 
Definition 6.1.1 Let R, L > Ro i > R,, R be the keyspace, s € R, suppose 
R, and R> are additive groups. 


1. If there is s € R such that 
fol(er +02) = foe) + f'(c2), Wer, c2 € Ro, (6.1.1) 


we call f, the additive homomorphic encryption function. 
2. If ‘multiplication’ is defined in R; and Ro, and there is s € R such that 


fe '(c1e) = for) + fo"), Ver, c2 € Ro, (6.1.2) 


we call f, the multiplicative homomorphic encryption function, where s* is the 
corresponding key of s under multiplication. 

3. If f; is both additive and multiplicative homomorphic encryption function, then 
fs is called the fully homomorphic encryption function. 


Remark 6.1.1 The multiplication defined in the ciphertext space R2 is not closed, 
i.e. there are cj, C2 € Ro, CiC2 € R2. We denote the result of the multiplication as 
R> ® Ro, Le. 

Ve},€2 € Ro > c1- C2 € Ro @ Ro, 


then the corresponding key in R2 ® Ro iss* =s Qs. 
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Remark 6.1.2 By (6.1.1), fo'(ci +c2) is the plaintext u corresponding to the 
ciphertext c; + C2, fo (cy) and fo'(@2) are the plaintexts u;, uz corresponding 
to the ciphertexts c; and c3. (6.1.1) is equivalent to: 


Se +o) =u=u,+u, 


that is, ciphertext addition is homomorphic to plaintext addition, so is multiplica- 
tion homomorphism. If f, is fully homomorphic encryption, then we can perform 
polynomial calculations and rational function calculations on ciphertexts. By Taylor 
expansion, any elementary operation (exponential function, logarithmic function, 
trigonometric function, etc.) can be approximated by polynomials. Therefore, for 
fully homomorphic encrypted data c, we can do any elementary operation without 
changing the structure of the plaintext. 
We give a few examples to further understand the Definition 6.1.1. 


Example 6.1 Homogeneous Affine Hill Cryptosystem (see Chap. 4, Sect. 4.7 in 
Zheng 2022) is additive homomorphic encryption. 

Letqg 2 1 beapositive integer, Z, be the residue class ring mod g, A € Z;*" be an 
invertible n dimensional matrix. The Homogeneous Affine Hill encryption function 
is fa: Vm € Z7 is a plaintext, then 


c= fa(m) = A-me Z/, c is the ciphertext, 


it follows that i © = A~'c = m. For any C1, C2 € Lis we have 


fx (Ci +e) =A Mer +0) =A +A le = fae) + fa (2), 
so fa is additive homomorphic encryption. 


Example 6.2 The public key cryptography RSA (see Chap. 4, Sect. 4.7 in Zheng 
2022) is multiplicative homomorphic encryption. 

Let n > 1 be the product of two prime numbers, g(7) be the Euler function, 
1 <e < y(n), (e, p(n)) = 1, e be the public key, d = e~'! mod y(n), 1 < d < y(n), 
d be the private key, i.e. 


ed = 1 (mod g(n)), 1<d< g(n). 
We define the encryption function of RSA f. : Z, — Z, which is a one-to-one 
correspondence, 


c= fe(m) =m* (modn), Vm € Z,, 


the decryption function is 
fo '(c) = c4 (mod n). 
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Obviously, for any two ciphertexts c,, co € Z,, it follows that 


fo‘ (c1€2) = (c1¢2)* (mod n) 


=c4. cf (mod n) 


= f.'(c1) f, '(c2) (mod n). 


Thus, we have f>'(cic2) = f7'(c1)« f- '(c2) in Z,, and we confirm that RSA is 
multiplicative homomorphic encryption. 


Based on Examples 6.1 and 6.2, to construct a fully homomorphic encryption 
system, which is essentially a ring homomorphism between two rings in algebra, 
let’s look at the following Example 6.3 first. 


Example 6.3 Let R; and R2 be two commutative rings, encryption function f : 
R, — R, bea single ring homomorphism. The f is fully homomorphic encryption. 

In fact, since f is a single homomorphism and R; is the plaintext space, then 
F(Ri) C Ro is a subring of Ro, that is, the plaintext space is embedded into the 
ciphertext space. Let cj, cz € R2 be any two ciphertexts, there exist uj, u2 € R; > 
fu) =c1, f(z) = co, thus, 


fcr oe) = ff) + fw) 
= f"(f(a t+ u2)) = ua tu. = fcr) + f-' (2). 


Similarly, 
fo\(cres) = ff (us) + fun) 


= ffi) = uw = fe) f-'(@): 
Hence, f is fully homomorphic encryption. 


Next, we use the Chinese Remainder Theorem to construct an example of fully 
homomorphic encryption. 


Example 6.4 Let N = n,n2...n,x, where {n;} are mutually coprime positive inte- 
gers. Denote the plaintext spaces R; and R2 as 


Ri _ Zn, ® Zn, a -®Zn,, Ro = Zn, 


here R, is the direct sum of k rings Z,,. Leta = (a1, d2,..., ax) € R; bea plaintext, 
based on the Chinese Remainder Theorem, there is only one x € Zy such that 


x =a; (modn;), | <i<k. 
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We define the encryption function f : Rj — R2 as f(a) = x. Now we prove that f 
is fully homomorphic encryption. Let f(a) = x1, f(b) = x2, then 


Xp +x. =a, +b; (mod n;), Vi = 12s og Ke 


So we have ; : 
ff Gi t%x2)=atb= fi) + f~ G2). 
Similarly, 
Xx. = a,b; (mod nj), Vi = 1, D5 ar inians k. 
Therefore, 


f Gis) = a-b= fe) FG). 


This means that f is fully homomorphic encryption. By Chinese Remainder The- 
orem, the computing complexity of x is O(klog*N), we have the simplest fully 
homomorphic encryption in this example. 


From Example 6.4, it can be seen that it is not difficult to construct symmetric 
fully homomorphic encryption, but the data bank envisaged by Rivest, Adleman and 
Dertouzos are all data encrypted by public key cryptography. So RAD conjecture is to 
construct an asymmetric fully homomorphic encryption system. When the encryption 
key and the decryption key are separated, it becomes a very difficult work to satisfy 
the fully homomorphic property. The work of Gentry in 2009 or later only solve part 
of the RAD conjecture. They can construct a fully homomorphic encryption system 
under a bounded condition, while under the unbounded condition, the RAD problem 
is still an unsolved open problem. 

Fully homomorphic encryption is similar to ring homomorphism. When construct- 
ing an asymmetric fully homomorphic encryption system, because the problem is too 
difficult, Gentry decomposed the decryption transformation into a composite of two 
mappings in Gentry (2010). The fully homomorphic properties are discussed sep- 
arately for each composite factor, thus forming the current technology of bounded 
fully homomorphic encryption. 


Fs ee te 
Let R; BLA Ry —> R, be acryptosystem, assume that R; is a ring. Decompose 
fo! into Ry > R3 Ri, where R3 is aring, f-! = 07 0 01. If both oj and op are 
homomorphism of rings, then 


fol(cr +02) = on(o1 (cr + €2)) = 02(01 (C1) + 01 (€2)) 
= 0901(c1) + 0201(c2) = f, (c1) +f '(c2). 


Definition 6.1.2 Under the above assumptions, if there is a set M such that 


1. Tf f-'(e1) + foc) € MO R3, then 


fi (ate) = fo (a + f (2). 
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2. If f-'(cy) - fo (co) € MO R3, then 
fie (e102) = fo (er) fy (2). 


Generally, a bounded fully homomorphic can only perform a finite number of homo- 
morphic calculations. Because after repeated addition and multiplication of the 
ciphertext, the corresponding plaintext may run out of the boundary, so the homo- 
morphic property cannot be guaranteed. 


6.2 Gadget Matrix and Gadget Technique 


Gadget technique is developed from the work of Ajtai in 1999 (Ajtai, 1999), see 
Agrawal et al. (2010), Alperin-Sheriff and Peikert (2013), Alwen and Peikert (2009), 
Peikert and Waters (2008) and which plays an important role in bounded fully homo- 
morphic encryption. To better understand gadget matrix and gadget technique, we 
start with the classical short integer solution problem (SIS). 

Let A € Z)*" be a given n x m dimensional matrix, u € Z/ be the target vector. 
Find the shortest integer vector x € Z7 such that 


Ax =u (mod q), |x| < 6. (6.2.1) 


The shortest integer solution x in (6.2.1) is actually the shortest vector in the following 
q ary lattice 
Ly (A) ={xe ibe | Ax = u (mod g)} U qZi. (6.2.2) 

which is the general form of the SIS problem. If u = 0, the above problem becomes 
the classic SIS problem. For general matrix A, the SIS problem is difficult, but for 
some special matrices, such as the gadget matrix we will introduce later, the exact 
shortest integer solution is easy to find. 

We begin from n = 1, if A is an/ dimensional row vector (1 x / dimensional 
matrix), where / = [log,q], i.e. J is the largest integer such that 2!/"! < q < 2', let 


g=| + Jez. (6.2.3) 
aI-1 
Lemma 6.2.1 Let A = g’ be an! dimensional vector, then the shortest vector in the q 


ary lattice L(g’) could be accurately calculated. Suppose the binary representation 
of u € Zz is 
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u = (aoa...ai-1)2>a=] . Je Li (g’) (6.2.4) 
aj—| 


is the shortest vector. In other words, the smallest integer solution of g'x = u (mod q) 
isx =a. 


Proof u € Z,,0 <u <q, since 2'-! <q <2!', u could be represented as 
u=dat+a, eee ee ae a; =Oorl. 
Based on the definition of g in (6.2.3) and the definition of a in (6.2.4), we have 


g’a = u, it follows that a is the smallest integer solution of g’x = 0 (mod q). Lemma 
2.1 holds. 


The gadget vector defined by (6.2.3) can also be used as a sample of the one 
dimensional LWE distribution, so that the solution of the LWE distribution can be 
by 


by 
easily solved. Let A = g' € La b=] .]¢é Zi, we get the LWE,,,,,,; problem 


(see Definition 3.3.3 in Chap. 3) 


b; =, 2's; +e; (mod q), e= / | xs 1ST Sh 
el 


If the LWE distribution A, , = (i, b) is given, we can get the following relations 
with high probability 
Si =, 2'b; (mod gq), 1 <i <i. 


In order to generalize the above gadget technique to high dimensions, i.e. n > 1, 
we need to replace the gadget vector g defined in (6.2.3) with the gadget matrix. 
Let A = (Gij)nyxn., B = (bij)m,xm, the Kronecker product A @ B (see Chap. 2 in 
Zheng 2022) of the matrices A and B is defined as 


a,B ay2B es ain, B 


a2,B anB seers Arn, B 
A@B= . , ; : (6.2.5) 


ani B an, 2B nae Ann, B nym Xngmy 
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Definition 6.2.1 Assume n > 1, J, is the n dimensional identity matrix. We define 
the n x nl dimensional gadget matrix G as the following block diagonal matrix, 


G = I, ®g' = diag’, g’,...,g'} eZ", (6.2.6) 


where g is the gadget vector defined in (6.2.3). 


Lemma 6.2.2 Let G be a gadget matrix, u € Zi be the target vector. Then the short- 


est integer solution x € Zn of the SIS problem Gx = u (mod q) could be uniquely 
determined by lemma 2.1. 


uy 
Proof Letu =| : | € Zj bea given target vector, x be an n/ dimensional column 


Uy 
vector divided into 


X=]. | where x; € Z’, l<icn. 
Xn 


Based on the definition of gadget matrix G, the SIS problem Gx = u (mod q) is 
equivalent to the following n equations: 


gx; =u; (modq), 1<i<n. 


By lemma 2.1, the shortest integer solution of each equation could be uniquely 
a 


a2 
determined as x; = a; € Z',sox =| | | is the shortest integer solution of Gx = 


Xn 


u (mod q). 


-1 
Definition 6.2.2 For any u € ie we define function: Zi &, Zl as Go'(u) =x, 
where x € Z” is the shortest integer solution of Gx = u (mod q). 


Lemma 6.2.2 guarantees the existence of the function G~! and gives the way to 
compute the vector x. By Definition 6.2.2, we have 


GG~'(u) = u (mod q), (6.2.7) 


the above function G~! : Le Z" could be regarded as the ‘inverse’ matrix of the 
gadget matrix G. 
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When using the gadget matrix G as the LWE distribution sample to solve the 


S] 
52 
LWE problem, notice that for any n dimensional vector s = | . | € Zi, we have 
Sn 
s'G = (s18', 528", ..-45ng’) € ZY. (6.2.8) 


For the LWE distribution A, , = (G, b), where b € Zn , to solve the private key s, 
al nl n 
b=s'G, bez, seZi, 


based on (6.2.8), it can be transformed into n one dimensional LWE distribution 
problems, which has been discussed above. 

The solutions of the SIS problem and the LWE problem discussed above are easy 
to compute because these problems are based on specific gadget vectors and gadget 
matrices. To get more general results, we need the trapdoor matrix, the tag matrix 
(tag) and the Gauss matrix. An integer matrix R is called a Gauss matrix, if all of 
its components are independent and have the discrete Gauss distribution. Since the 
Gauss distribution has the greatest probability near 0, a random Gauss matrix is also 
called a short integer vector matrix in the sense of high probability. 


Definition 6.2.3 Let A € Ly” be a given matrix, R € Z"*"! be a Gauss matrix, 
H €Z;,*" be an invertible n dimensional square matrix, G € a be a gadget 
matrix, if 

AR = HG (mod q), (6.2.9) 


then we call R as the trapdoor matrix of A, and H is the tag matrix. 


Generally, A is called the check matrix, and R satisfying (6.2.9) is called the trapdoor 
matrix of the check matrix A with the tag H. To better understand the Definition 
6.2.2, by Lemma 6.2.2, the SIS problem generated by the gadget matrix G can be 
easily calculated. If H € Z)*” is an invertible matrix, then the SIS or LWE problems 
generated by HG are also easy to compute. In fact, for any target vector u € Z)*", 


HGx = u (mod q) & Gx = H~'u (mod q). 


The shortest integer solution of the SIS problem in the right hand is G-!(H~'u); 
therefore, the shortest integer solution of HGx = u (mod q) is x = G7!(H~'u), 
where the target vector is replaced by H~'u. We can discuss the LWE problem 
generated by HG in the same way. Next we generalize the results to a general 
matrix A. 


Lemma 6.2.3 For any check matrix A € Zi", the shortest integer solution of the 
SIS problem Ax = u (mod q) generated by A could be approximated as 
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x= Rw, whereew=G '(H'un), (6.2.10) 


R is the trapdoor matrix of A with tag H. 


Proof If the trapdoor matrix R of A exists, let x = Rw in the SIS problem 
Ax = u (mod q) (x € Z”, the target vector u € Z7) generated by A, where w € ig 
therefore, 

Ax =u (mod gq) > ARw = u (mod q), 


we have 
HGw =u (mod q) > w=G"!(A!n). (6.2.11) 


Since w is the shortest integer solution of (6.2.11), and the trapdoor matrix R is 
a Gauss matrix, so x = Rw = RG~'(H~'u) is a short integer solution of the SIS 
problem generated by A, i.e. we can regard RG~'(H~'w) as an approximation of 
the SIS problem. 


To quantify the efficiency of the approximation of (6.2.10), we define the mass 
5,;(R) of the trapdoor matrix R 


sj(R) = max [RzI. (6.2.12) 
zeZ™ |z|=1 
By (6.2.10), 
|x| = |Rw| < 51(R)|wI, (6.2.13) 


thus, the smaller s;(R) is, the shorter |x| is, and the approximation of the solution of 
the SIS problem is more accurate. So we can say that the smaller s;(R), the higher 
mass of the trapdoor matrix R. 

Finally, let’s discuss the generation of trapdoor matrix. For any uniformly dis- 
tributed random matrix A € LP suppose R € Naa is a Gauss matrix, let 


A=[A,HG-AR]€Z?", m=m+al, (6.2.14) 


where H € Z*” is a given invertible matrix, G is the gadget matrix. 


Lemma 6.2.4 /f A is given by (6.2.14), then the trapdoor matrix of A with the tag 
His 
R 


R= (; ) eZ" m=m+ni. (6.2.15) 


Proof From the definition of A and R 
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= HG (modq), 


n 


so the trapdoor matrix of A with the tag H is (7). 


The mass s;(R) of the Gauss matrix R can be estimated using classical ran- 
dom matrix theory. The following result is referred from R.Vershynin’s monograph 
“Compressed Sensing, Theory and Applications’ Chap. 5, p. 210-268, Cambridge 
University Press, 2012. 


Lemma 6.2.5 Suppose R = (7) is given by (6.2.15), R is a Gauss matrix with 


parameter s in the Gauss distribution. Then we have the following relation with high 
probability 
5\(R) = O(s(V/m + Vnl)). 


Proof Based on the definition of trapdoor matrix, 


R 
si(R) = max |Rz]}= max | Z| 
zeZ" |z|=1 zeZ",|z\=1! (In 


= ie |= = max (Rz|?+\|z\?, 
cz" | lz _ 1 zeZ" |z|=1 


denote R = (1; jmxni, Where rj; has the discrete Gauss distribution with parameter 
s. By Chebyshev inequality, for any positive integer k, 


ee nee 2 ey em Ee 7 ;-_! 
Miz] S KSy ZL a = : 
q k252 In k2s? Qn k2 


It follows that the probability of all the m - nl variables r;; satisfying |r;;| < ks is at 
least (1 — sp >)! We choose k large enough so that this probability is sufficiently 
close to 1, thus, 


nl 
si(R) = Pe | Rzl? + |z/? [Edt rp +1 
EZ” |\z|= 


Dd, 


<V1+mnlk2s? < Ks(/m+ Val), 


where K = (k + 1)/ mal / (/m + \/nl), so we have 


Pr{s\(R) < Ks(/m + Vnl)} > A inl 
Qn k2 
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i.e. in the sense of high probability 


5(R) = O(s(V/m + Vnl)). 


6.3 Bounded Fully Homomorphic Encryption 


In 2009, C. Gentry of Stanford University in the USA first proposed a bounded fully 
homomorphic encryption based on ideal lattices, which has a great influence in the 
field of theoretical computer science, and a number of improved works have been 
proposed one after another. Brakerski and Vaikuntanathan proposed a fully homo- 
morphic encryption system based on the LWE cryptography in 2011 (see Brakerski 
& Vaikuntanathan, 2011a, 2011b, 2014, 2015), which we call BV fully homomor- 
phic encryption. Another improvement is the fully homomorphic encryption using 
trapdoor matrix proposed by Gentry, Sahai and Waters in 2013, which we call GSW 
fully homomorphic encryption. BV and GSW cryptosystems are currently the most 
active and cutting-edge research. The main purpose of this section is to introduce 
these two fully homomorphic encryption systems. 


1. BV fully homomorphic encryption 


Review the LWE cryptosystem by Regev introduced in Chap. 4. Let n > 2, gq > 2, 
X is a given distribution on Z,. The (n — 1) dimensional LWE distribution obtained 
by random sampling is (see Definition 3.3.2 in Chap. 3) 


i = @,b) eZ" x Z,, 


b =,<a,s > +e (mod q), G31) 


where a € Zn! is uniformly distributed, s € Zn! is the randomly chosen private 
key, e € Z, has the distribution x. Generally, x is chosen as the discrete Gauss 
distribution on Z,. Let 


a= (;) € Zi, s= (7) eZ; 


ais the public key and s is the private key. The key equality of the LWE cryptosystem 
(m = 1) encryption and decryption algorithm is: 


<a,s> = (-5’, 1) (7) 


= b<a,s> =, e (mod gq), (6.3.2) 


e € Z, has the discrete Gauss distribution, and e is very close to 0 with high proba- 
bility, so it is also called the error term. 
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To better understand the fully homomorphic encryption technology based on the 
above LWE cryptosystem, we rewrite it into the form of symmetric encryption by 
formula (6.3.2). 


Most significant bit 


Let s € Zj be a private key, g > 2 be an odd number, u € Zp be the plaintext. The 
most significant bit of plaintext u by the LWE distribution A is c = f4(u), where 
ce Zi is the ciphertext, satisfying 


<S,c> Sy u 5 | (mod qg), cE Z", (6.3.3) 


where <s, c> is inner product. Equation (6.3.3) is not an exact congruence equation, 
but a congruence equation with error which has small probability. It should be noted 
that the encryption function f4 is only formal, and its specific algorithm depends on 
the samples of the LWE distribution (see Chap. 4). 

Using the private key s € Z7, the decryption of the ciphertext c is defined by 


{i ey |=. >| (mod q) 


=, |= Lu] (mod g) 
=, u(mod q) (see Lemma 3.3 in Chap. 4). (6.3.4) 


In order to better understand the fully homomorphic property (bounded) of the LWE 
cryptosystem, we write the most significant bit as the following equivalent least 
significant bit. 


Least significant bit 


Assume q > 2 is an odd number, let m = u (mod 2), and ST <mc< = u bea given 
plaintext u € Zp, i.e. 


m €{u+2Z}N(— 35,5]. (6.3.5) 


The least significant bit of u is f'4(u) = c € Zj, where the ciphertext c satisfies 
<s,c> =m (mod q), (6.3.6) 


(6.3.6) is an exact congruence equation. 
The decryption of the ciphertext c still uses the private key s € Z/, which is 
divided into the following two steps: 


1. There exists only one m satisfying m = <s,c> (mod q), and -% <m< 4. 
2. u =m (mod 2), then we get the plaintext i (c) =u. 
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We will prove that the most significant bit and the least significant bit are actually 
equivalent for multibit plaintext in the general case. First, we look at the difference 
between the two encryptions in the case of u € Z,. Write Eq. (6.3.3) in the error 
form, 


<s,c> =et+u |S (mod q), 


then 


fii Oz Fa + u (mod q). 


For a real number x, |x] =0< —5 <x< 5, Ne) me <e< i. Compared with 


(4.1.7) in Chap. 4, the decryption of the Regev’s cryptosystem is actually Eq. (6.3.4) 
here. This observation enables us to construct corresponding cryptosystem for multi- 
bit plaintext. 

Let 1 < p < q be two positive integers, (p, q) = 1, Z, be the plaintext space, Z7 
be the ciphertext, s € Z) be the randomly chosen private key. 

Most significant bit: for a given plaintext u € Z,, we define the most significant 
bit of u as M(u) = w € Z, satisfying 


Fa =u (mod p), (6.3.7) 


in fact, based on w = <s, c>, we can write the ciphertext as, 
_|4 
Mi) =w= Fa (mod q), (6.3.8) 
P 


the decryption function 


M'(w)= Fa =u (mod p), 


we can get the plaintext uw. 
Least significant bit: the least significant bit for a given plaintext u € Zp is v, i.e. 
L(u) =v € GZ, satisfies 


v =e (modq), e =u (mod p), = exs, 


the decryption for the ciphertext v: there exists only one e é€ [ - $) >v= 
e (mod q), let u =e (mod p), then M~'(v) = u. In fact the v here is <s,c>. 


Lemma 6.3.1 [f 1 < p <q, (p,q) =, then the most significant bit and the least 
significant bit are equivalent. 
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Proof Since (p, q) = 1, then there are integers cp, € Z, cg € Z => 
Cyp-P+Cg-qeal. 


Actually c, is the multiplicative inverse of p under mod q, c, is the multiplicative 
inverse of g under mod p. Denote c, = p~! and Cq = gt 
Assume v € Zz is the least significant bit of the plaintext u € Zp, i.e. L(u) = v. 
We are to prove that the most significant bit of the plaintext —q~'u € Z p 1S p ive 
Ziq, i.e. 
M(—q"'u) = pv. 


Based on v = e (mod q), e € {u + pZ} N[—§, 4), so we have 


ergs 
—p vil= —e—— 
q q P 
e 
= gq! 


= —_,-1 
=—-cye=—q 


u (mod p), 


this means M(—q"'u) — pty: On the other hand, if w = M(u), i.e. w is the most 
significant bit of the plaintext u, we confirm that the least significant bit of —qu is 
just pw € Zz, ie. 

L(—qu) = pw € Zy, 


by the definition of the most significant bit, 


ka = Pw r =u (mod p), 
q 


} <r < },s0 (since (p,q) = 1) 


where — 
pw — qr = qu (mod p). 


Let gr = e, we get 
pw — e = qu (mod pq), 5 <e< 5 


it follows that pw = e (mod q), and e = —qu (mod p), namely L(—qu) = pw. 

Above all, there is a one-to-one correspondence between the most significant 
bit and the least significant bit for a plaintext, so the two forms of encryption are 
equivalent. 
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Finally, we discuss the fully homomorphic property of the BV encryption system, 
which is summarized in the following theorem. 


Theorem 6.3.1 Let p = 2, q > 2 be an odd number, then the BV encryption system 
is bounded fully homomorphic encryption, and its fully homomorphic boundary is 


M=(-4,4]. 
22 


Proof Based on the least significant bit of the BV encryption system, its decryption 


function 4-7 can be divided into two parts: R3 = Zg, Zg iN Zy = R, is natural 
homomorphism, then f-' could be decomposed into 


Z) + MN Z, —> 1, 
where 0; is defined for any ciphertext c € Z”,c ~meMn Zq satisfying 
<s,c> =m (modq). 
Since there exists only one m satisfying the above formula, o; is well-defined. It 
follows that 
<S,Cj +02 >=< S,C)] > + <S,02> 
=m, +mp? (mod q), (6.3.9) 
Le. oj (cy + cz) =m, + mp, ifm; + mz € MN Zz, then 
fo'(c1 + e2) = o2(01 (C1) + 01 (€2)) 
= 07(m; + m2) 


=u; + uz (mod 2), 


so we have 
fol(er+e2) = uy tun = foc) + fo"), 


fs is additive fully homomorphic encryption. 

To introduce the multiplicative homomorphism, we define the Kronecker convolu- 
tion for two vectors in Lp Let cy = (C11, C12,.--, Cin) € Zi C2 = (C21, C22, .- +, Crp) 
E Zi be two row vectors, we define the Kronecker convolution of c; and cz as cy ® C2, 


C1 Br = (Chi + Caj)i<ij<n € a (6.3.10) 
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Obviously, for any four vectors a, b,c, d € Zi we have 
<a®b,c@®d> = <a,c>-<b,d>. (6.3.11) 


In fact, let a = (aj, d,...,4n), b= (bj, bo, ..., bn), C= (C1, C2,..-,€n), d= 
(d, do, es dn), by (6.3.10), 


n 


<a®b,c®d>= 5 abe, 


i=1 j=l 


n 


=| @enO) bid; 
j=l 


i=l 
= <a,c>.<b,d>, 


thus, (6.3.11) holds. 

Let cy, co € Zi be two ciphertexts, 5 € Zi be the private key, we define the multi- 
plication as Kronecker convolution in the ciphertext space Zi Suppose s* = 5 @s, 
then the decryption function [i is a mapping of Ze — Zp». Based on (6.3.11), we 
have 

<S @S,Cj @C2> = <S,Cj>+ <S, 02> 


=mj,-m>, (mod q). 
If mymz € MN Zz, then 
m, = uy, (mod 2), mz = uz (mod 2) > mym2 = u,uU2 (mod 2), 


namely 


fei(r®oa)= foc): fo'@), 


i.e. f; Satisfies the multiplicative homomorphism. So we prove the bounded fully 
homomorphic property of the BV encryption system, and its fully homomorphic 


boundary is M = (—$, 4]. 


The above Theorem 6.3.1 can be generalized to the multibit case, that is, plaintext 
u € Zp, ciphertext c € Zi (p,q) = 1. Under these assumptions, the BV multibit 
fully homomorphic encryption system can be constructed, and we leave it as a ques- 
tion for the readers. Note that the dimensions of the ciphertext space and key space 
grow from n to n? by the Kronecker convolution. The dimension could be reduced 
by using the gadget technique in Sect. 6.2. This reduction technique is called key 
conversion. 
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Key conversion 


Let Cin = C1 ® Co be an nj, dimensional ciphertext, where cin and nin represent the 
input ciphertext and the dimension of the ciphertext. By the most significant bit of 
BV fully homomorphic encryption, then 


<Sin, Cin> = 8/y- Cin Sy U E; ] (mod q). (6.3.12) 


The above formula is obtained from (6.3.3), where sj, is the private key with dimen- 
sion nin. In order to reduce the dimension 7;,, we construct a private key soy, with 
lower dimension and convert the input ciphertext cj, into the output ciphertext Cout 
encrypted by sour. Of course, the dimension ox of the output ciphertext Coy, and the 
key Sout is much smaller than the input dimension njy. To do this, let G be the gadget 
matrix, 

Gal, @¢c, = diagle, Gal 


in? Cin peneseg Nin Xn? * (6.3.13) 


G is the nin x ne , gadget matrix generated by the nj;, dimensional vector cin. By 
(6.2.7) and (6.3. 12), we have 


<Sin, Cin> = S/o + Cin = (8/,G) - G7" (Cin) Sy E ] (mod q), (6.3.14) 
where G~!(ci,) = x is the shortest integer solution of Gx = ci, (mod q). Based on 
(6.2.8), sf, -G is an Ae dimensional vector. 


2 
Lemma 6.3.2 For anyn < Nin, then there exist a matrix K € Ze and ann dimen- 
sional private key Soy with high probability such that 


-K =, S;,°G (mod q). (6.3.15) 


Sout 


Proof The construction of the matrix K and the transformed private key sou are 
related to the resampling technique (Bootstrapping) of the LWE distribution. For a 


2 
given vector b' = si, Ge Ze, we can take a sample soy € Zj for very small error 


distribution e € Z;” (with high probability) and 
A= [d),42,...,4n,], Va; € Zi 


satisfying (see 4.1.3 in Chap. 4) 


) A 
(Sour — DD) (7) =, e (mod q). 


Since e is a very small error term, the above equation can be written as the form of 
random congruence 
SoA =, b' = s/,G (mod q). 


out 
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7 
nxn, 


Let kK =A eZ, ™, we have 


Sink = 5;,G (mod q). 


out 


Lemma 6.3.2 holds. 


Remark 6.3.1 K is the public key which could be made public, the security of the 
private key sou, will not be affected based on the security of the LWE distribution. 


By (6.3.14) in Lemma 6.3.2, the input ciphertext cj, is converted into a new output 
ciphertext Cour = K G7! (Cin). Cout iS obtained by using the key Sout, this is because 


SoutCout = ike (Cin)) 
el -1 = q 
=, 5,G-G (Cin) =, u | (mod q). 
We replace cin = cy ® C2 and Sin = 5 @ 5 with the new ciphertext coy, and the con- 
verted key Sour, which significantly reduces the dimension of the ciphertext. 


2. GSW fully homomorphic encryption 


In 2013, Gentry et al. (2013) further improved BV fully homomorphic encryption 
by using gadget matrix and gadget technology. The greatest advantage is that fully 
homomorphic multiplication does not require the key conversion introduced in the 
previous subsection. 

First, we select a random matrix A € Ta. with the number of columns 7m large 


enough. Define the following two matrices by A 


Aj =x;G — AR; € Z?™, i = 1,2, (6.3.16) 
where x1, x2 € Zg are two integers, G is the gadget matrix, 
G = diag{g’, g’,..., 8'Juxn, 8’ € Z_, 
here / = [log,qg], Ri € ‘gaa is the Gauss matrix. 


Lemma 6.3.3 1. The trapdoor matrix of [A, A, + Aglis e : = the tag matrix 
n 
is X{I, + X2Iy. 


2. The trapdoor matrix of [A, A;G~!(A2)] is & 


1 ) the tag matrix is x,Xx2In, 
n 


where 
R= x,R.+R\G '(A)). (6.3.17) 


Proof By (6.3.16), it is easy to get 


Aj + Aa = (x1 + 42)G — A(R + Ro). (6.3.18) 
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We regard each column vector of Az as the target vector vu in Lemma 2.2, then the 
inverse matrix G~! in Definition2.2 can be generalized to G~!(A2) € an xml here 
G~!(A2) = x is the shortest integer solution of (because each column of the matrix 
x is the shortest integer solution) 
Gx = A; (mod q). (6.3.19) 
Thus, (6.2.7) generalizes to 
G - (G"'(Az)) = Az (mod q), (6.3.20) 


so we have =) 
A\G~'(A2) = (x1G — AR,)G7'(A2) 


= x) A> — AR|G~!(Ap) 
= x1xX9G — x, AR) — AR, G~!(A>) 


= x1xX2G — A(x, Ro + R1G~!(A2)). (6.3.21) 
Let A =[A, A; + Ao], R = é 4 ) by (6.3.18), we get 


AR = A, + Ao + A(R; + Ro) = (4) + )1,G, 


therefore, R is the trapdoor matrix of A, and the tag matrix is H = x;J, + x2I,. We 
have proved (i) in this lemma. To prove (ii), let 


A= (4, AiG""(A)], R= (7) ; 


where 
R = x,Ry+ RiG (Ap). 


Based on (6.3.21), 
AR = AR+ A\G !(Ap) 


= Ax, R> + AR,G~!(A2) + AiG '(A2) 


= X1xX2G, 


this implies R = (; 
So (ii) in this lemma holds. 


) is the trapdoor matrix of A, and the tag matrix is H = x, x2J,. 
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In order to fully prove the conclusion of lemma 3.3 , it is also necessary to prove 
that the corresponding trapdoor matrix is a Gauss matrix, which is summarized in 
the following lemma. 


Lemma 6.3.4 /f R is a Gauss matrix, then (7) is also a Gauss matrix. If Ry and 


I, 
R» are independent Gauss matrices, then R, + Rz is a Gauss matrix. 


Proof Since 0 and | can be regarded as discrete Gauss distributions with parameter s 


R\. : 

I is also a Gauss matrix. On the other hand, the sum of two 
n 

independent random variables with Gauss distribution still has Gauss distribution, 

so R; + Ro is a Gauss matrix. The lemma holds. 


close enough to 0, then 


Now we discuss the workflow of the GSW fully homomorphic encryption. 

Key: the public key is A € Lm, m =n -+nl,eachcolumn of A is an independent 
sample of the LWE distribution A, , under the private key 5 € Z| Lets = (7) € 
Lins if x has discrete Gauss distribution, we have (see 4.1.3 in Chap. 4) 


s'A =, 0 (mod q), (6.3.22) 


with the private key s = ey € Zi. 
Encryption: let x € Z be a plaintext, f(x) be an n x nl dimensional matrix A 
encrypted for x, 
f(x) =A=xG—AR, (6.3.23) 


i.e. A is the ciphertext, G is then x nl gadget matrix, R € YS is a Gauss matrix. 


Decryption: based on (6.3.22), decrypt A with the private key s = (7) , 


s'A=xs'G—s'AR 


=, xs'G (mod q). (6.3.24) 


Correctness: since s’A is a given ciphertext matrix, and G is the gadget matrix, 
by (6.2.8), 
xs’G =, s'A (mod q), 


we can solve the only one solution xs’ with high probability, and get f—'(A) = x. 


Theorem 6.3.2 The GSW encryption system is bounded fully homomorphic encryp- 
tion, where the addition and multiplication of the ciphertexts are defined as if 
A, = f(x), A2 = f (%2), then A, + Ag is the matrix addition, and 
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Aj Az = AiG7!(A2) € Znxn! (6.3.25) 


is the matrix multiplication. 


Proof The conclusion of theorem 2 is actually implied in lemma 3.3. Let x,, x2 € Zy 
be two plaintexts, 
Ai = f(x) = x1G — AR, 
Ar = f(%2) = 12G— AR», 


then _ 
A, + Ag = (x1 + X2)G — ACR, + Ro), 


so we have (with high probability) 
fo'(Ar + Aa) = x1 +42 = f'(Ai) + f"(Ad). 


Let 
R= x,R2+ RiG (Ad), (6.3.26) 


according to (6.3.21), 
A\A2 = AiG7!(Az) = x142.G — AR, 


therefore, 
fo'(A1A2) = x10. = f(A) f' (Ad). 


Since GSW encryption system is based on Gauss distribution, the Gauss matrix in 
(6.3.23) has errors. The error will be larger by adding and multiplying the cipher- 
text matrix many times. GSW encryption system is bounded fully homomorphic 
encryption, so it is necessary to control the error when adding and multiplying the 
ciphertexts in order to ensure high probability. This is because the larger the error 
of Gauss distribution, the smaller the probability, and the probability that the above 
equation holds also decreases. 


To complete the proof of Theorem 6.3.2, we need the following lemma. 


Lemma 6.3.5 [f R, and R> are Gauss matrices, then the matrix defined by (6.3.26) 
is also a Gauss matrix. 


Proof Since both R; and R are Gauss matrices, then x;R2 and R,G~'!(A2) are 
Gauss matrices, based on lemma 3.4, 


R=x,;R)+ RiG '(A2) 


is a Gauss matrix. Lemma 3.5 holds. 
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Finally, we emphasize that the advantage of GSW fully homomorphic encryption 
is that the dimension of ciphertext multiplication does not increase. The ciphertext 
multiplication defined by (6.3.25), in fact, A; Az and A;, Az are in the same ciphertext 
space. 


6.4 Construction of Gentry 


In 2009, C. Gentry first proposed a bounded algorithm for fully homomorphic encryp- 
tion, which partially answered the RAD problem. The work by Gentry is an abstract 
description of fully homomorphic encryption (Garg et al., 2013a, 2013b; Gentry, 
2009a, 2009b, 2010; Gentry et al., 2012a, 2012b, 2013a, 2015; Gentry & Halevi, 
2011). It is difficult to understand the ideas and technologies by Gentry since there 
are many linguistic concepts. On the basis of BV fully homomorphic encryption and 
GSW fully homomorphic encryption in the previous section, it is possible for us to 
better understand Gentry’s ideas and methods. 

Recall the working principle of the most representative public key cryptography 
RSA. Suppose WN is the product of two different prime numbers, pk denotes the public 
key, and the public key of RSA is pk = (N, e), where 1 < e < g(N), (e, g(N)) = 1, 
g(N) is the Euler function of N. For any plaintext 7; € Zy (0 < 7; < N), the 
encryption algorithm of RSA is w; = 7/ (mod N), we write 


{w; <— 7; mod N} (6.4.1) 


as the cryptosystem of the ciphertext yy; encrypted by the plaintext 7; using the public 
key pk. If there are t¢ ciphertexts {w1, W2,..., W%}, obviously, 
t 


Wi 


1 


L 


t t € 
{fw < (hm) mod Nf 
i=l i=l 


this shows that the product I; of t ciphertexts yy; is encrypted by the product I}_, 7; 
of the corresponding ¢ plaintexts z;. In other words, the plaintext corresponding to 
the product of the ¢ ciphertexts is the product of the rf plaintexts zr;. In section 6.1, 
we use the decryption algorithm to describe this multiplicative homomorphism as 


(1 m:) (mod N), 
i=l 


so we have 


- (4 vs) = fh). 


In order to define homomorphic encryption more generally, we first introduce the 
concept of circuit, which is widely used in the computer field. 
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Definition 6.4.1 A circuit C on the set A is a multivariate mapping defined on A. 
For any t elements a), d2,..., a; € A, C(a, dz, ..., a) is the image of the mapping 
C. From the perspective of computer work, we can take (a), dz, ..., a;) aS an input, 
and C(aj, a2,...,a;) is regarded as one output. Multiple input and output can be 
viewed as a circuit. If there are multiple circuits C on A, the set of these circuits is 
written as C4. 

In a public key cryptosystem E, we use pk and sk to represent the public key and 
the private key respectively. Of course, pk and sk are not just one element, there may 
be many public and private keys. 


Definition 6.4.2. A public key cryptosystem E with the circuit set Cg is called a 
fully homomorphic encryption system, if E contains the following four algorithms: 


1. Key generated algorithm, denoted as KG_. 
2. Encryption algorithm, denoted as Ey. 

3. Decryption algorithm, denoted as Dyz. 

4. Ciphertext algorithm, denoted as Eval,. 


For any public key pk, and any circuitC € Cg onthe plaintext space, any ¢ ciphertexts 


Wi, Wo,..., Wt, where 
Wi — Ene (pk, mj), 1 <i <t, (6.4.2) 
the ciphertext algorithm Eval, is to compute 


w < Evale(pk, C, Wi, Wa, .-., Wr), 


where y is the encryption of C(zr), 72, ..., 7,) under the public key pk, i.e. 
w< Ene(pk, C(m, %2,...,7)). (6.4.3) 


Remark 6.4.1 The number of elements of a circuit is denoted as |C|, which is called 
the boundary of the circuit. Usually the computational complexities of KGr, Engr, 
Dyg and Eval, are polynomial of the security parameter A and the circuit boundary 
IC]. 


Remark 6.4.2. An equivalent form of (6.4.3) is 

C(m1, 2,..., U1) = Dune), (6.4.4) 
that is, the plaintext corresponding to the calculation result y under the ciphertext 
algorithm Eval, by the ft ciphertexts , w2,..., Ww, is the output in the circuit 


C(m1, %2,..., 1) by m1, 12, ..., 1. Therefore, in a fully homomorphic encryption 
system, the plaintext circuit C actually defines the ciphertext circuit D, where 


Din, Wa, ae} Wi) — Evalg(pk, C, Wi, Wo, SF 8 Wi) 
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satisfying 
Dne(D1, Wa, -- +s Wr) = Ct, Wa, ..., MH). (6.4.5) 


The basic idea of Gentry is to construct fully homomorphic encryption ona general 
ring. In order to prove the security, the ideal of a quotient ring on the rounding function 
ring Z[x] is corresponding to an ideal lattice in Z” (see Chap. 5), so the construction 
of Gentry is called fully homomorphic encryption based on ideal lattice now. 

Let R be acommutative ring with identity, J and J are two coprime nonzero ideals 
in R, i.e. 1+ J =R, R/I and R/J denote the quotient rings. The construction of 
Gentry can be divided into the following steps: 


@® Fix an ideal J of R and a basis B; of J. 

@® For any ideal J of R, (J, J) = 1, we give an ideal generating algorithm 
IdealGen(R, B;) to generate the public key basis B oy and the private key basis 
Be. In fact, BY could be chosen as another ideal J; of R, such that J = Jj, 
Bs* = B,, is the basis of Jj. 

@® Construct a sampling algorithm Samp(x, B;, R, By), 


Samp(x, B;, R, By) = a representative element of additive coset x + J =X. 


@® In the ciphertext algorithm any circuit of R is computed in R/J, i.e. if x1, x2 € 
R/T, then C(x1, x2) = x3 (mod /). Take the addition circuit and the multipli- 
cation circuit as an example, for any x1, x2 € R/I, x; + x2 = x3 (mod J), there 
exists only one x3 under the sampling algorithm Samp(x, B;, R, B;), which is 
denoted as Addg,. Similarly, the multiplication in R/J is denoted as Multz,. 

© Ciphertext generation. Fix a ring R and an ideal J of R, then 


KG(R, B;) = (BS*, BP") < IdealGen(R, By), 


the plaintext space is a representative element set of the quotient ring R/T. 


The public key contains R, B;, B : * and the sampling algorithm. 

The private key sk contains ean 

The encryption algorithm: the plaintext space is R/J, for any plaintext u € R/T, 
based on the sampling algorithm we have Samp(u, B;, R, BP) — w’, the encryp- 
tion algorithm En(pk, u) is defined as 


En(pk, u) =v = W' mod BM, 
The decryption algorithm De(sk, yw) is defined as 


u <— (y mod BS‘) mod By. 
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The ciphertext algorithm: if ¥%, yw are two ciphertexts, then the addition and 
multiplication are defined as 


Add (pk, 1, W2) = Wi + 2 = (Wi + Yo) mod BP, 


Mult (pk, Wr, Wa) = Wia = ir) mod BP. 


The key of Gentry’s construction is to verify the correctness of encryption and 
decryption and the homomorphism property of the ciphertext algorithm. We call the 
above public key generation algorithm, encryption algorithm, decryption algorithm 
and ciphertext algorithm as the fully homomorphic encryption system of Gentry, 
denoted as E. In order to prove the fully homomorphic property of E, we observe 
that there are two kinds of circuits in E. First, the circuit C used for encryption is 
defined by the addition and multiplication in the quotient ring R/J. The other circuit 
used in the ciphertext algorithm is defined by the addition and multiplication in R 
itself, which is called the generating circuit. 


Definition 6.4.3 Given a circuit C in the plaintext space, we call g(C) its generating 
circuit if the operation of mod B; in C is replaced by the original addition and 
multiplication. 


Definition 6.4.4 Let X.,- be the image of R/J under the sampling algorithm Samp, 
i.e. Xenc is a set of representative elements of R/J, and Xen; is a plaintext space, so 
the ciphertext space is {X,.,- + J}. Define X p,. as R mod Be , 1.e. the representation 
of the elements in R/J under mod Be 


Definition 6.4.5 The circuit satisfying the following condition in the circuit set Cr 
is called an allowable circuit set, 


Cr = {C: V(x, X2,...,4%,) € 5 aan => g(C)(%1,%2,...,X1) € Xdec}. (6.4.6) 


On the basis of the above definitions and notations, the main conclusion of Gen- 
try is that for any ciphertext [see (6.4.3)] in any allowable circuit, it has the fully 
homomorphic property. 


Theorem 6.4.1 Let Cg be an allowable circuit set, then the ciphertext encrypted by 
any allowable circuit C in Cg has the fully homomorphic property. 


Proof LetC € Ce,W = {W, Wo, ..., Wr}, where each y; is the encrypted ciphertext 
of the allowable circuit, so each ciphertext yy could be written as 


We = Te + ik + jks wm, € R/T, ix € TL, Ike € J, 
and my, + ix € Xenc. We have 


Eval(pk, C, w) = g(C)(W) mod BY 
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If C € Cg, then 
B(C)(Xenc, Xenc, sey Xenc) € X Dec, 


therefore, 
Decrypt(sk, Eval(pk, C, )) 


= g(C)(m +4, 2 + i2,..., 0, + is) mod B; 
= g(C)(m1 +72 +---+7;) mod B; 
= C(m, 7, rire ee 


Applying the above conclusion to the addition circuit and the multiplication circuit 
respectively, we get the fully homomorphic property in the allowable circuit. 


We choose R = Z[x] /<f(x)>, where f(x) € Z[x] is a monic polynomial of 
degree n. Each polynomial in the quotient ring R corresponds to a vector in Z”: 


ao 
ay 
a(x) = ag tayxt---+a,_ix" |e RoOa= . eZ". 


Qn-1 


Furthermore, the correspondence between the ideal in R and the ideal lattice in Z” is 
one-to-one (see Chap. 5). For example, J = <a(x)> is the principal ideal generated 
by a(x) € R, then 

<a(x)> =I <> L(HA*(a)), 


where H*(q@) is the ideal matrix generated by a, L(H*(q)) is the integral lattice 
generated by H*(qa). For J C R, I is not a principal ideal, based on Chap. 5 we 
know 

LU) = {a |a(x)e Ic Z" 


is an integral lattice. Denote B; as the generating matrix of L(/), then B; is the basis 
of ideal J in the construction of Gentry. In the key generation algorithm constructed 
by Gentry, the public key is By * We select an ideal J C R such that (7, J) = | with 
the basis B;, i.e. J is the generating matrix of the corresponding ideal lattice L(J). 
For convenience, 

B?* = the HNF basis of L(J) 
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is the Hermite normal basis of L(J). The private key is B**, we choose an ideal J, 
larger than J,ie. J C Jj CR, J) 4 J, 80 


Re = the generating matrix of the ideal lattice L(J,). 
Since J C J), by the homomorphism theorem of ring we have 
Ji/J = (R/S) /(R/J))- 


Here R/J, is a subring of R/J, so in the sampling algorithm, for any a € R/J, we 
can find only one aj, € R/J\. 

Above all, we can take R as a specific quotient ring Z[x] / < f (x)> of the integer 
coefficient polynomial ring Z[x] to realize the construction of fully homomorphic 
encryption by Gentry. Since the correspondence between the ideal in R and the 
ideal lattice in Z” is one-to-one, Gentry’s construction is widely known as a fully 
homomorphic encryption system based on the ideal lattice. Because the conclusion 
is only valid on the set of allowable circuit, it is only a bounded fully homomorphic 
encryption. 


6.5 Attribute-Based Encryption 


Fully homomorphic digital signature is a research hotspot at present, among which 
attribute-based encryption is a relatively mature topic. Attribute-based encryption 
(ABE) is a generalized form of identity-based encryption which is proposed in Goyal 
et al. (2006) and Sahai and Waters (2005) first. In this section we will briefly introduce 
ABE. 


Lemma 6.5.1 Let g be a prime number, F, be a finite field with q elements, Fax be 
an extension of degree n of F,, then Fn is isomorphic to a subring H of Z,*", where 
a,beH>a—be GL, (fy), ie. a —b is an invertible matrix. 


Proof Fj / Fg is an n dimensional linear space, let {a,a@2,..., 0} C Fyx be a 
basis. For any a € Fj, we define a linear transformation ty on Fn 


Ta(x) = ax, x © Fon. (6.5.1) 


Obviously Zt, is a linear transformation on Fy». Under the given basis {a;, 02, ..., Mn}, 
let Ay be the corresponding matrix of T,, that is, 


Ty (01, 2, wey Qn) = (aa), d2, 1+, Qn) = (a1, 2, 625 An )Aw. 


Let 
H= {Aw | ae Far} Cc Le 
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we have 
Aa+p = Ag+ Ag, Ag.p = Ag: Ag, 


so Fyn — 7 is aring isomorphism. Note that if a ¢ 0, then tT, is an invertible linear 
transformation on Fj», and the corresponding matrix Ag of Ty is an invertible matrix. 
Ifa,b € Fgx,a  b, it follows that A,_» € GL, (F;), in other words, the difference 
of any two different matrices in the matrix ring H is an invertible matrix. 


Remark 6.5.1 The trace function and determinant of the matrix A, corresponding 
to the linear transformation T, are called the trace and norm of q, 1.e. 


tr(@) = tr(Ag), N(a@) = det(Ag), 


where tr(q@) is an additive homomorphism of Fj» — F,,and N (a) is a multiplicative 
Homomorphism of Fyn > F;,. 

Let Fy» be an n dimensional linear space of F;. Given a basis, Fgx and F7 are 
isomorphic as the linear spaces of F,. For any elements a1, a2, ..., 7 € Fgn in Fon, 
we can define the inner product based on Lemma 6.5.1. 


Definition 6.5.1 For any a, B € Fyn, let-a > Ha € H, B > Hg € H, we define 
the inner product of a and B by 


<a, B> = Hy - Hp. (6.5.2) 


Remark 6.5.2 Since Hy - Hp € F,'*" is a square matrix of order n, the inner product 
of two field elements is a vector. If Hy - Hg € 7H, based on lemma 5.1, there exists 
y € Fy» >r— H,- Hg. However, we cannot get y = a - B, which means that 
(6.5.2) and the one-to-one correspondence of lemma 5.1 are not commutative. 


ABE encryption technique is a very complex matrix encryption method. The 
basic principle is to use the gadget matrix to generate encryption and decryption 
algorithms based on the LWE distribution. It involves the encryption public key 
of LWE cryptosystem, and a private key system based on the attribute vector and 
the dependent vector, which are the keys in the digital signature. In order to fully 
understand the workflow of ABE, we start with some basic matrices. 

Let g be a prime number, Z, is equivalent to a finite field with g elements, and 
Z;, is equivalent to an extension of degree n of Z,. Let G be a gadget matrix of order 
n [see (6.2.6)], i.e. 


G=1,®g' =diag{g’,g’,..., 8} Z, 
where / = |log,q], define A and A by 
Ae Zinn is a uniformly random matrix, 


A=[A), A2,..., Ai] € Zee (6.5.3) 


m=n-+nl, w=nil, 
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where each A; € tg has the same dimension with the gadget matrix G. Let A be 
the private key, R € ae be the trapdoor matrix of A with tag H, i.e. 


AR = HG (mod q). 
Based on Lemma 6.5.1, we define the attribute vector "s by 
# =([M, fo,..., Mle H, (6.5.4) 
where each H; € Le is an invertible matrix, so 7 € ale , let 


Ve = [H,G, H)G,..., HG] <¢ Z*™", (6.5.5) 


Ay =A+Gz EZ, 


the dependent vector Pp € H! defined by the attribute vector Ht satisfies 


where p =([P,, Po,..., Pile Yo ge and each P; € Le 
In order to discuss the generated private key by the dependent vector 2 let Sp 
be 


G~'(P,G) 
G-'(P,G) 

co (6.5.6) 
G-'(P,G) 


here G~!(P;G) is an integer matrix given by Definition 2.2. 


Lemma 6.5.2. Under the above notations, we have 
Gz -Sz= <n, p>G=0. 
Proof Combining (6.5.5), (6.5.6) and (6.2.7), it follows that 


G~'(P;G) 
Gy «o> = [A,\G, HoG,..., HG] : 
G"!(P,G) 


= H|GG"'(P,G) +--- + H,GG"'(P,G) 


=APi\G+WPG+---+HPG 
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= (A P| + Ay P,+---+ A P)G 


=<, p>G=0. 


Encryption: based on the above definitions, let u € Z"”, we encrypt a single bit 
u € Zz by the LWE cryptosystem, and the ciphertext {¢, c+, c} satisfies 


8’ Az (mod q), (6.5.7) 


where s is the private key of the LWE cryptosystem. 
We write {c, c;>, c} as the following form 


n? 


[ety el =, s'[A, Az, u] + é ‘.4) (mod q). 
2 


Decryption: generate the private key vector x satisfying the following equalities 
by the dependent vector Ps 


(6.5.8) 


use x= as the private key to decrypt the ciphertext {c, c=, c} as follows 


n? 
[c’, cy -S3]-x5, 


by (6.5.7), we replace the congruence with equality, then (based on Lemma 5.2) 


co ‘SZ= SA>-Soas'(At Gz) Sz 


> 
P 


gh / Ses ih 
=SB3+sGz- Sz =s Bz, 


p 


therefore, 


[e’, cy - Sg] - xp =, s'[A’, Bg]: xp (mod q) 


=, s‘u (mod q) 
=c-—u S| (mod q) 
=u. 


Both x3 and Sz are the shortest integer solutions. 
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We will not verify the fully homomorphic property of ABE here, and leave it to 
the readers as an exercise. Constructing fully homomorphic digital signature by the 
ABE encryption technology is a popular research topic at present, and we suggest 
readers to follow up it further. 
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Chapter 7 ®) 
A Generalization of NT RUencrypt cro 


NTRU cryptosystem is a new public key cryptosystem based on lattice hard problem 
proposed in 1996 by three digit theorists Hoffstein, Piper and Silverman of Brown 
University in the United States. The essence of NTRU cryptographic design is the 
generalization of RSA on polynomials, so it is called the cryptosystem based on 
polynomial rings. Its main feature is that the key generation is very simple, and the 
encryption and decryption algorithm is much faster than the commonly used RSA 
and elliptic curve cryptography. In particular, NTRU can resist quantum computing 
attacks and is considered to be a potential public key cryptography that can replace 
RSA in the post-quantum cryptography era. 

Many researchers have presented some variations of NTRU by changing its alge- 
braic structure. In 2002, Gaborit introduced an NTRU-like cryptosystem called 
CTRU by replacing the base ring of the NTRU with a polynomial ring over a binary 
field Fy[x] (Gaborit et al., 2002). They proved that their system is successfully 
decrypted. In 2005, Kouzmenko showed that CTRU is weak under a time attack 
and proposed the GNTRU cryptosystem based on Gaussian integers (Kouzmenko 
2006). In the same year, Coglianese introduced an analog to the NTRU cryptosystem 
called MaTRU (Coglianese & Goi, 2005). MaTRU is based on a ring of all square 
matrices with polynomial entries. In 2009, Malekian introduced the QTRU cryp- 
tosystem based on quaternion algebra (Malecian et al., 2011). They also introduced 
the OTRU cryptosystem in 2010 based on Octonion algebra (Malecian & Zakerolh- 
sooeini, 2010). In 2016, Alsaidi proposed a public key cryptosystem BITRU based 
on binary algebra (Alsaidi & Yassein, 2016). However, all of the above variations 
of NTRU have limitations. The purpose of this chapter is extending the theory of 
circulant matrix to general ideal matrix, and constructing more general NTRU cryp- 
tosystem combining with the @-cyclic code. The motivation of this research is to 
adapt the distributed scenario of blockchain architecture and apply the post-quantum 
cryptography in it. 
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7.1 -Cyclic Code 


Let F, bea finite field with g elements and q be a power of a prime number, F,[x] be 
the polynomial ring of F, with variable x. Let F? be the n dimensional linear space 
over Fy, and @ = (¢0, 1, ---, On-1) € a be a fixed vector in a with ¢o # 0, the 
associated polynomial of ¢ given by 


P(x) =x" — gy—1x""! —--- — bx — bo € Falx], G0 £0. (7.1.1) 


Let <(x)> be the principal ideal generated by ¢ (x) in F, [x]. There is a one-to-one 
correspondence between F7' and the quotient ring R = F,[x] / <b(x)>, given by 


C= (Co, Cl,---,Cn—1) € Fr S c(x) =co tex t-:-+cep-1x"! © R. (7.1.2) 


In fact, this correspondence is also an isomorphism of Abel groups. One may extend 
this correspondence to subsets of F7 and R by 


Cc Fi 2C@) = {e(x)le e C} CR. (7.1.3) 


If Cc Ey is a linear subspace of F 7 of dimension k, then C is called a lin- 
ear code in coding theory and written by C = [n,k] as usual. Each vector c = 
(Co, C1, +--+, Cn-1) € C is called a codeword of length n. Obviously, C = [n, 0] and 
C = [n, n] are two trivial codes. Another one is called constant codes, of which is 
almost trivial given by 


C={(b,b,...,b)|b € Fy}, and C = [n, 1]. 


According to the given polynomial ¢(x) in (7.1.1), we may define a linear transfor- 
mation Tg in F oe 


Tp(c) = Th((CO,C1,---; Cn—1)) = (P0Cn—1, 60 + $1Cn—1, C1 + $2Cn-1, +++, Cn—-2 + bn 19 1). 


It is easily seen that ty : Fj — F7 is a linear transformation. 


Definition 7.1.1 Let C Cc F 7 be a linear code. It is called a -cyclic code, if 
Vo €C => Te(c) EC. (7.1.5) 


In other words, a linear code C is a $-cyclic code, if and only if C is closed under 
linear transformation tg. Clearly, if @é = (1, 0,...,0), and g(x) = x” — 1, then the 
o-cyclic code is precisely the ordinary cyclic code (Lopez-Permouth et al., 2009). 


Remark 7.1.1 The @-cyclic code we give here is polycyclic code in fact, which firstly 
appeared in Lopez-Permouth et al. (2009), but we mainly concern for its application 
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to McEliece and Niederriter’s cryptosystems. We first show that there is a one-to-one 
correspondence between ¢-cyclic codes in F . and ideals in R = F,[x] / <@(x)>. 
Lemma 7.1.1 LetC C F7 be a subset, then C is a @-cyclic code, if and only if C(x) 
is an ideal of R. 


Proof We use column notation for vector in F7, then linear transformation ts may 
be written as 


co PoCn-1 co 
Cl Co + P1Cn—-1 C , 
To = : 5 Vo= € E, 
Cn-1 Cn—2 + Pn—1€n-1 Cn-1 


Let Ty be an x n square matrix over Fy, 


(7.1.6) 


where J,,_; is the (n — 1) x (n — 1) unit matrix. The matrix expression of Tg as 
follows 


(a) co oCn-1 
C1 C1 co + b1Cn-1 
zs =T; = @4%) 
Cn-1 Cn-1 Cn—-2 + Pn—1Cn—1 


Suppose C C F? and C(x) is an ideal of R, it is clear that C is a linear code of F?. 
To prove C is a @-cyclic code, we note that for any polynomial c(x) € C(x), then 
xce(x) € C(x) if and only if tg(c) € C, namely, if c(x) € C(x), then 

xe(x) € C(x) & tg(c) ECC & Tyc € C. (7.1.8) 
Therefore, if C(x) is an ideal of R, then we have immediately that C is a @-cyclic 


code of F oe 
Conversely, if C C F, is a g-cyclic code, then for all k > 1, we have 


Veet S Tice, 
It follows that 


Ye(x) € C(x) > x*ce(x) € C(x), OS k<n—1, 


which implies C(x) is an ideal of R. This is the proof of Lemma 7.1.1. 
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By Lemma 7.1.1, to find a @-cyclic code, it is enough to find an ideal of R. There 
are two trivial ideals C(x) = 0 and C(x) = R, the corresponding @-cyclic codes 
are C = [n, 0] and C = F’’ , respectively, which are called trivial @-cyclic code. To 
find non-trivial @-cyclic codes, we make use of homomorphic theorems, which is a 
standard technique in Algebra. Let a be the natural homomorphism from F,[x] to 
its quotient ring R = F,[x] / <(x)>, kerm = <(x)>, 


<o(x)> CNC F,[x] —+R= Fy[x]/<o(x)>, (7.1.9) 
where N is an ideal of F,[x], of which is containing kern = <@(x)>. Since F,[x] 


is a principal ideal domain, then N = <g(x)> is a principal ideal generated by a 
monic polynomial g(x) € F,[x]. It is easy to see that 


<O(x)> C <g(x)> + 8(x)|G@). 
It follows that all ideals N satisfying (7.1.9) are given by 
{<g(x)> | g(x) € F,[x] is monic and g(x)|P(x)}. 
We write by <g(x)> mod ¢(x), the image of <g(x)> under 7, it is easy to check 


<g(x)> mod $(x) = {h(x)g(x) | A(x) € Fy[x] and degh(x) + degg(x) < n}, 
(7.1.10) 
more precisely, which is a representative elements set of <g(x)> mod ¢(x), by 
homomorphism theorem in ring theory, all ideals of R given by 


{<g(x)> mod ¢(x) | g(x) € F,[x] is monic and g(x)|@(x)}. (7.1.11) 


Let d be the number of monic divisors of #(x) in F,[x], we can get the following 
corollary immediately. 


Lemma 7.1.2. The number of $-cyclic code in Fi is d. 
To compare the -cyclic code and ordinary cyclic code, we see a simple example. 


Example 7.1 Constant code C is always a cyclic code for 1 +x +-+- +x"! |x”" — 
1, and its generated polynomial is just 1 + x +----+-x"~!. But constant code C in 
F7 is not always a -cyclic code, it is a p-cyclic code if and only if 1 +x +---+ 
x"—"/@(x), an equivalent condition for 1 + x + ---+x""'|@(x) is 


On| = On-2 = +: =H =I, and gg = 1+b. 


Definition 7.1.2 Let C bea ¢-cyclic code and C(x) = g(x) mod ¢(x). We call g(x) 
is the generated polynomial of C, where g(x) is monic and g(x)|@(x). 
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Lemma 7.1.3 Let g(x) = go + g1x ++-+ + 8n—K-1x"-*! + x" be the generated 
polynomial of a -cyclic code C, where 1 <k <n —1, and g(x)|$(x), then C = 
[n, k] and a generated matrix for C is the following block matrix 


& 
t9(8) 
G=| (8) (7.1.12) 
t% (8) kxn 
where g = (80, 81, --+s &n—-k-1> 1, 0,...,0) € C is the corresponding codeword of 


g(x), and t,(g) = t '(to(g)) forl <i<n—1. 


Proof By assumption, C(x) = <g(x)> mod ¢(x), then {g, tg(g),..-, t '(g)} Cc 
C, we are to prove it is a basis of C. First, these vectors are linearly independent. 


Otherwise, we have 
k-1 


>> bit) (g) = 0, bj € Fy, (7.1.13) 


i=0 


and the corresponding polynomial is zero, namely 


k-1 
(x os! g(x) =0. 


i=0 
It follows that : 
-1 
So dix =0>5; =OforallO<i<k-—1. 
i=0 


Next, if c € C, and c(x) € C(x), by (7.1.10), there is a polynomial b(x) = bo + 
byx + +++ + Dg_gx*-? + x*-! such that 


k-1 


c(x) = bO)g(x) = (x ox! g(x), bai =l, 


i=0 


Thus we have the corresponding codeword of C(x) 


k-1 
c=) bai). 
i=0 


This shows that {g, tg(g),..-, t} '(g)} is a basis of C, and a generated matrix for 
C is 
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&§ 
T (8) 
G= T§(g) 


Tt} (8) 


kxn 


We have Lemma 7.1.3 at once. 


To describe a parity check matrix for a @-cyclic code, for any c = (co, cy, .. 
Cn-1) € F”, we write 


s9 


= n 
c= (Cn—1, Cn—25+++5Cl, co) € Lys 


Lemma 7.1.4 Suppose C is a b-cyclic code with generated polynomial g(x), where 
g(x)|b(x) and degg(x) =n —k. Let h(x) g(x) = (x), where h(x) = ho + hix + 
-+ ++ hg_yx*"! + x*. Then a parity check matrix for C is 


he 
tp (h) 


(7.1.14) 
comma (2 


(n—k)xn 


Proof Since h(x)g(x) = @(x), itmeans thath(x)g(x) = OinR = F,[x] /<@(x)>; 
thus we have 


gohi + gihi-y + +++ + 8n—khi-nsk = 0, VO<i <n—I, 


It follows that GH' = 0, where G is a generated matrix for C given by (7.1.12). 
Therefore, H is a parity check matrix for C. 


A separable polynomial in Algebra means that it has no multiple roots in its 
splitting field. The following lemma shows that there is an unit element in any non- 
zero ideal of R, when ¢(x) is a separable polynomial. 


Lemma 7.1.5 Suppose (x) is a separable polynomial of Fy, and C(x) = g(x) mod 
(x) is an ideal of R with degg(x) < n — 1, then there exists an element d(x) € C(x) 
such that 

c(x)d(x) = c(x), Ve(x) € C(x). 


Proof Let h(x)g(x) = (x). Since (x) is a separable polynomial, then 
gcd(g(x), h(x)) = 1, and there are two polynomial a(x) and b(x) in F,[x] such 
that 

a(x)g(x) + b@x)h(x) = 1. 
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Let 
d(x) = a(x)g(x) = 1 — b@)h(x) € C(x). 


If c(x) € C(x), by (7.1.10), we write c(x) = g(x) g1 (x), it follows that 
c(x)d(x) = a(x)g(x)g(x)gi(x) = CL — bx )h(x))g (x) 81 (x) 


= g(x)gi(x) = c(x)(mod $(x)). 


Thus we have c(x)d(x) = c(x) in R. 


Next, we discuss maximal ¢-cyclic code. Let C(x) = g(x) mod @(x), and g(x) 
be an irreducible polynomial in F,[x], we call the corresponding @-cyclic code C a 
maximal -cyclic code, because <g(x)> is a maximal ideal in F, [x]. 


Lemma 7.1.6 Let C be a maximal $-cyclic code with generated polynomial g(x), 
B be a root of g(x) in some extensions of Fy, then 


C(x) = {a(x) | a(x) € R and a(B) = O}. (7.1.15) 
Proof If a(x) € C(x), by (7.1.10) we have a(8) = 0 immediately. Conversely, if 


a(x) € F,[x] and a(B) = 0, since g(x) is irreducible, thus we have g(x)|a(x), and 
(7.1.15) follows at once. 


An important application of maximal @-cyclic code is to construct an error- 
correcting code, so that we may obtain a modified McEliece-Niederriter’s cryptosys- 
tem. To do this, let 1 < m < ./n, and Fj be an extension field of F, of degree m. 
Suppose Fyn = F, (0), where @ is a primitive element of Fy» and F,(@) is the simple 
extension containing F, and 0. Let g(x) € F,[x] be the minimum polynomial of 6, 
then g(x) is an irreducible polynomial of degree m of F,[x]. Itis well known that Fim 
is a Galois extension of F,, so that all roots of g(x) are in Fym. Let By, B2,..-, Bm 
be all roots of g(x), the Vandermonde matrix V (1, 62, ..., Bm) defined by 


1 By Bp? - 
1 Bo Bye me 


H =V(i, Bo,..-, Bn) = ; (7.1.16) 


1 Bn Be apa i mxn 
where 6; = @ and each f; is a vector of (F,)”. For arbitrary monic polynomial 
h(x) € F,[x], degh(x) = n — m, let (x) = h(x) g(x) and C be a maximal ¢-cyclic 


code generated by g(x). It is easy to verify that 


cE€CScH' =0. 
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Therefore, H is a parity check matrix for C. If we choose the primitive element 6, so 
that any d — | columns in H are linearly independent, then the minimum distance 
of C is greater than d, and C is a t-error-correcting code, where t = [4]. 

The public key cryptosystems based on algebraic coding theory were created by 
Lyubashevsky and Micciancio (2006), and Micciancio and Regev (2009) a suitable 
t-error-correcting code plays a key role in their construction. The error-correcting 


code C should satisfy the following requirements: 


1. C should have a relatively large error-correcting capability so that a reasonable 
number of message vectors can be used; 

2. C should allow an efficient decoding algorithm so that the decryption can be 
carried out with a short time. 


Our results supply a different way to choose an error-correcting code by selecting 
arbitrary irreducible polynomials g(x) € F,[x] of degree m and roots of g(x) rather 
than an irreducible factor of x” — 1 and the roots of unit. 

In fact, for any positive integer m, there is at least an irreducible polynomial 
g(x) € F[x] with degree m. Let N,(m) be the number of irreducible polynomials 
of degree m in F,[x], then we have (see Theorem 3.25 of Lidl & Niederreiter, 1983) 


1 1 im 
Nglm) = — Yu(S)q" = — Yo ulda?, 


d\|m d\|m 


where u(d) is Mobiiis function. 

Assuming one has selected two monic and irreducible polynomials g(x) and 
h(x) with degg(x) = m and degh(x) = n — m, let d(x) = g(x)h(x), then one may 
obtain @-cyclic code C generated by g(x) or h(x), which is more convenient and 
more flexible than the ordinary methods. 

It’s difficult to compare the error-correcting capability between d-cyclic code with 
existing cyclic codes of the same length and dimension. However, we believe that 
the advantages of d-cyclic code will become more clear when q increases. 
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The public key cryptosystem NTRU proposed in 1996 by Hoffstein, Pipher and Sil- 
verman is the fastest known lattice-based encryption scheme; although its descrip- 
tion relies on arithmetic over polynomial quotient ring Z[x]/ <x” — 1>, it was 
easily observed that it could be expressed as a lattice-based cryptosystem (see IEEE, 
2000). For the background materials, we refer to Hoffstein et al. (1998), Lint (1999), 
McEliece (1978). Our strategy in this section is to replace Z[x] / <x” — 1> by more 
general polynomial ring Z[x] /<@(x)> and obtain a generalization of NTRUEn- 
crypt, where $(x) is a monic polynomial of degree n with integer coefficients. 
In this section, we denote ¢(x) and R by 
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(x) =x" — Gyix” | — +» — bix — bo € Z[x], R= ZLx]/ <)>, bo £0. 
(7.2.1) 


Let Hy € Z"*" be a square matrix given by 


(7.2.2) 


where J,_; is (n — 1) x (n — 1) unit matrix. As described in Chap. 5, (x) is the 
characteristic polynomial of H, and H defines a linear transformation of R”? — R” 
by x — Hx, where x is a column vector of IR”. We may extend this transformation 
to R*” and denote o by 


o 3) = (iis) _ where (;) eR", (7.2.3) 


Of course, o is again a linear transformation of R™” > R™, 
A q-ary lattice is a lattice L such that gZ” C L C Z", where gq is a positive integer. 
We give the following definition of convolutional modular lattice. 


Definition 7.2.1 A q-ary lattice L is called convolutional modular lattice, if L is in 
even dimension 2n satisfying 


Vv (4) eL>o , = ea ea (7.2.4) 


here aw and f are column vectors in R”. In other words, a convolutional modular lattice 
is a q-ary lattice in even dimension and is closed under the linear transformation o. 

Recalling the secret key e ) of NTRU is a pair of polynomials of degree n — 1, 
we may regard f and g as column vectors in Z”. To obtain a convolutional modular 
f 
& 


lattice containing , we need some help of ideal matrices. In Chap. 5, we introduce 


the definition of ideal matrix generated by a vector f, 
POSH Gy 6 i Fe Fis (7.2.5) 


which is a block matrix in terms of each column H* fO<k<n-1). Itis easily 
seen that H*(f) is a generalization of the classical circulant matrices. In fact, if 


o(x) =x" —-1, f@) = fot fixt+---+ fix” € Ze, 


the ideal matrix Hj(f) generated by f is given by 
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fo Sn-1 fi 
fi fo sh 

A*(f)= ; ; , P(x) =x" —-1, 
fn—-1 fn—-2-** fo 


which is known as a circulant matrix. On the other hand, ideal matrix and ideal lattice 
play an important role in Ajtai’s construction of a collision-resistant Hash function, 
the related materials we refer to Ajtai and Dwork (1997), Ajtai (1996), Lint (1999). 

We have given some properties of ideal matrix from Lemmas 5.2.1—5.2.4 in 
Chap. 5. Based on these lemmas, next we construct a convolutional modular lat- 


tice containing vector (1). Let (1) € Z*", (H*(f))" be the transpose of H*(f), 


and 
ia a 
f'H' eg HT 
A=[(H*(f))", (Hg) 1 = | SD? gh? , (126) 
fl(aty |! ei (Ay! cee 
* n—1 
ae. ao) = (! es ‘) (12.7) 
H (8) § Ag ane 'g 2nxn 


We consider A and A’ as matrices over Zq, ie. AE a Ale a a q-ary 
lattice A, (A) is defined by 


A,(A) ={y € Z°" | there exists x € Z" > y = A’ x (mod q)}. (7.2.8) 
Under the above notations, we prove that A, (A) is the convolutional modular lattice 


containing (1) ? 
& 


Theorem 7.2.1 For any column vectors f € Z" and g € Z", A,(A) is a convolu- 


tional modular lattice, and 
i») 
€ A, (A). 
( q(A) 


Proof It is known that A, (A) is a q-ary lattice, i.e. 
gL” Cc Ag (A) Cc Va 
We only prove that A, (A) is fixed under the linear transformation o given by (7.2.4). 


If y ¢ A,(A), then y = A’ x (mod q) for some x € Z”, by Lemma 5.2.1 in Chap. 5, 
we have 
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_ (HH (f)x\ _ (H*(f)Hx)\ _ 
o(y) = G24 = ees = A’ Hx (mod q). 


It means that o(y) € A,(A) whenever y € A,(A). Let 
1 


e=|.|/¢€Z"> A*(f)e=f, and A*(g)e= g. 


We have 


({) € A, (A). 


Since A, (A) C Z*", then there is a unique Hermite Normal Form of basis NV, 
which is a upper triangular matrix given by 


Theorem 7.2.1 follows. 


* 
N= c — , where h = (H*(f))"!g (mod q). (7.2.9) 
Next, we consider parameters system of NTRU. To choose the parameters of NTRU, 
let dy be a positive integer and {p, 0, —p}" C Z” be a subset of Z", of which has 
exactly dr + 1 positive entries and dy negative ones, the remaining n — 2dy — 1 
entries will be zero. We take some assumption conditions for choice of parameters 
as follows: 


L. d(x) = x" — by_1x" |! — --- — bx — bo € Z[x] with do # 0, and ¢(x) is sep- 
arable polynomial, n, p, q, df are positive integers with n prime, 1 < p < q and 
gcd (p,q) = 1. 

2. f(x) and g(x) are two polynomials in Z[x] of degree n — 1, the constant term 
of f(x) is 1, f — 1 and g are the corresponding vector of f(x) — 1 and g(x), 
such that 


F=Lelp lpr. 2 ep Oe=P) : 


3. H*(f) is invertible modulo q. 
4. dp < ($-1)/4p— 5. 


Under the above conditions, by Lemma 5.2.2 in Chap. 5 we have 
H*(f) = I, (mod p), and H*(g) = 0 (mod p). (7.2.10) 


Now, we state a generalization of NTRU as follows. 
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1. Private key. The private key in generalized NTRU is a short vector U ) a2. 


and A, (A) is the convolutional modular lattice containing private key. 

2. Public key. The public key of the generalized NTRU is the HNF basis N of 
A, (A), which is given by (7.2.9). 

3. Encryption. An input message is encoded as a vector m € {1, 0, —1}” with 
exactly dy + 1 positive entries and d+ negative ones. Here the reason for restrict- 
ing dy + | positive and d+ negative entries of vector m is to improve the efficiency 
of encryption and decryption and it’s not necessary. The vector m is concatenated 
with a randomly chosen vectorr € {1, 0, —1}” also with exactly dy + 1 positive 


entries and d+ negative ones, to obtain a short error vector (" ) e {1,0, — 1}, 


Let : 
(‘) =H ("") = (” “ i) (mod q), (7.2.11) 


where h is given by (7.2.9). Then, the n dimensional vector c 
c=m-+ A*(h)r (mod q) 


is the ciphertext. 
4. Decryption. Suppose the entries of n dimensional vector c are belong to interval 
q 4 


[— , 5], then ciphertext c is decrypted by multiplying it by the secret matrix 


H*(f) mod q, it follows that 


H*(f)c = H*(f)m+ H*(f)H*(h)r = H*(f)m + H*(g)r (mod q). 
(7.2.12) 
Here, we use (ii) of lemma 5.2.4 in Chap. 5, namely, 


H*(f)H*(g) = H*(A*(f)g), 


If the above four conditions are satisfied, it is easily seen that the coordinates of 
vector H*(f)m + H*(g)r are all bounded by $ in absolute value, or, with high 
probability, even for larger value of d;. The decryption process is completed by 
reducing (7.2.12) modulo p, to obtain 


H*(f)m + H*(g)r = ml, (mod p). 
Thus one gets plaintext m from ciphertext c. We finish the procedure of our 


general NTRU cryptography. 


At the end of this section, we give an example to show the correctness of decryption 
of general NTRU cryptography. 


Example 7.2 Letn = 3, p=3,g=7,0(%) =x 4224244 1, f(x) = 3x? +1, 


g(x) = 3x?, ie. the private key is , with 
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It is easy to get 
1 —33 
H*(f) = |0-20 
3-31 


0=34 
H*(g) = |0-30 
3-30 


By (7.2.9), we compute / and H*(h) as follows 


2 
h = (H*(f))'g (modg) = | 0 ], 
—3 
23-3 
H*(h)=] 05 0 |, 
—33 2 


then the public key N is 
_ (bb H(A) 
v= (on): 


Assume the input message and random vector are 


1 0 
m={0],r=]1], 
0 0 
we get the ciphertext by (7.2.11) 
—3 


c=m+A*(h)r = | —2]) (mod7). 
3 


From (7.2.12) we have 
—2 
H*(f)c = | —3 ] (mod7). 
0 
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Since 
—2 1 
—3} =1{0] (mod3), 
0 0 


one can get the plaintext m from ciphertext c, 
1 
m= |0 
0 


So we verify the correctness and effectiveness of the general NTRU cryptography. 
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